Attached is a security advisory for Mod_Survey, which is a mod_perl module for apache (see attachment). The advisory was first published 2003-03-23 at http://gathering.itm.mh.se/modsurvey/SA20030323.txt More info about Mod_Survey can be found on its home page, which is available at http://gathering.itm.mh.se/modsurvey/ // Joel ################################################# Mod_Survey Security Advisory 2003-03-23, ENV tags ################################################# ABOUT MOD_SURVEY ---------------- Mod_Survey is an Apache module which displays and handles questionnaires written in a special XML-based markup language. Mod_Survey is primarily targeted towards Linux/Unix, but is possible to run in Windows. SUMMARY ------- If ENV tags are used in surveys it is, under certain circumstances, possible for an outside evil person to send arbitrary data to the data handling system. This could corrupt the data repository or, in the case of badly configured RDBMSs, be used to execute arbitrary database commands. This only affects survey files where ENV tags are used. ERROR CATEGORY -------------- The error falls into the class "Input Validation Error". It is possible to exploit remotely. VULNERABLE ---------- All versions from version 3.0.9 up to (but not including) 3.0.14e and 3.0.15-pre6 are vulnerable. Thus the following versions have the problem: 3.0.9 3.0.10 3.0.11 3.0.12 3.0.13 3.0.14 3.0.14d 3.0.15-pre1 3.0.15-pre2 3.0.15-pre3 3.0.15-pre4 3.0.15-pre5 Not vulnerable: Versions 3.0.8 and earlier 3.0.14e 3.0.15-pre6 SOLUTION -------- For systems with 3.0.14d or earlier installed, upgrade to 3.0.14e. For systems with versions from 3.0.15-pre1 to -pre5, upgrade to 3.0.15-pre6. If you only have trusted users on the system, you can also simply refrain from using ENV tags. Surveys that do not include the ENV tags are not vulnerable. LONGER DISCUSSION ----------------- In version 3.0.9, ENV tags were introduced as a way to submit data from the environment to the data repository along with the actual questionnaire answers. This is, when used at all, usually used for gathering info such as from which IP the respondent has connected, or which user agent the respondent is using. So far this data has been sent unchecked to the data sub system. However, a malicious user could easily craft some of the most common environment variables and thus send arbitrary data to the system. One example would be if the survey author is using an ENV tag with the field HTTP_USER_AGENT. The evil cracker could then change this string in his browser to something which he knew would corrupt the data repository, such as the delimiting character for ASCIIFILE/AUTODATA save methods or meta characters for the DBI save method. In versions 3.0.14e and 3.0.15-pre6 this has been solved through the encoding of the environment string. With this encoding all "dangerous" characters are encoded to %XX where XX is the character's hex code. Thus a semi-colon is submitted as %1B rather than as a semi-colon. EXPLOIT ------- Anyone can exploit this by changing the user_agent string in his browser. IMPACT ------ There are several points limiting the impact of the problem: The ENV tag must be actively chosen and inserted by a survey author for the above to be a problem. Secondly, most fields are not possible to change from the outside as they are set by Apache. Thirdly, unless access is given to the source of the survey, there is no way to know from the outside whether an ENV tag is used at all. CREDITS ------- The bug was first discovered and discussed on the mod_survey mailing list by Nicklas Deutschmann.
