CGIscript.net - csPassword.cgi - Multiple Vulnerabilities --------------------------------------------------------------------- Date : May 29, 2002 Product : csPassword.cgi Vendor : WWW.CGIscript.NET, LLC. Homepage : http://www.cgiscript.net/ DISCUSSION: --------------------------------------------------------------------- >From the website "An automated system for creating and maintaining apache style .htaccess files to password protect website directories." The following issues have been found: 1) because .htpasswd files are generated in the same folder as the .htaccess files, a web accessible folder, it may be possible for a user who has a password for the protected folder to download the .htpasswd file with the usernames and passwords (crypted) of all the other users. Note: The web server would have to not otherwise restrict access to .ht* files (some do, some don't). 2) When the program displays an error, it also display a lot of debug information, including form input, environment values, etc. There's at least a "file path disclosure" problem there, if not more. Sample error URL: csPassword.cgi?command=remove (They call the &remove() function but don't define it) 3) For someone who has login access to the csPassword program, it would be possible to insert additional directives to the .htaccess file that is generated. Allowing them to potentially do funky things to the web server (redirect traffic, set scripts or data files as viewable text files, make aliases to other non web folders, etc, etc). This is done by specifying nextlines and additional chars in the title field on the edit page. 4) When the program saves, delete, etc it's data file it creates a "password.cgi.tmp" file that contains all the usernames and (un-encrypted) passwords. Depending on your setup, this file may be readable and someone hammering your server with requests may be able to download it before the program can rename it over the original. This may be tough, but possible. Note: It looks as if a number of cgiscript.net's other scripts also have this problem. EXPLOIT: --------------------------------------------------------------------- An easy way to enter nextlines into the text field on the edit page is to have your browser turn it into a textbox for you. In internet explorer, you can do that by pasting this into the address bar: javascript:void(document.form1.title.outerHTML="<textarea name=title></textarea>"); SOLUTION --------------------------------------------------------------------- Make sure you only allow trusted users to use the csPassword application and make sure your web server in configured to deny requests for .ht* and *.tmp files. Additionally, password protecting the directory the csPassword program is in will prevent a non-authorized user from viewing debug data (#2) or downloading tmp files. VENDOR RESPONSE --------------------------------------------------------------------- Vendor was quick to respond. Effected users can receive a patch from Vendor on request. DISCLAIMER --------------------------------------------------------------------- The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility. CREDIT --------------------------------------------------------------------- Special thanks to Michael J McCafferty (mike@m5computersecurity.com) for his assistance with this advisory. __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com
