vuln in wwwisis: remote command execution and get files

From:	 Klaus Ripke <krip@openisis.org>
To:	 Bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
	 webappsec@securityfocus.com, cert@cert.org
Subject: vuln in wwwisis: remote command execution and get files
Date:	 Thu, 28 Mar 2002 17:26:57 +0100
Cc:	 abel@brm.bireme.br

Name               : wwwisis remote command execution and get files
Software Package   : wwwisis
possibly affected  : JavaISIS and other tools based on wwwisis
Vendor Homepage    : http://www.bireme.br/isis/I/wwwi.htm
Vulnerable Versions: 3.45 verified, probably others
Platforms          : Linux verified, probably others
Vulnerability Type : Input Validation Error
Vendor Contacted   : 28 Feb 2002
Vendor Replied     : 01 Mar 2002



CONTACT INFORMATION
===============================================================================

Name                   : Klaus Ripke
E-mail                 : krip@openisis.org

Vendor contact name    : Abel Laerte Packer
Vendor contact e-mail  : abel@brm.bireme.br



TECHNICAL INFO
===============================================================================


Introduction:

wwwisis runs as cgi to query mostly bibliographical databases.
Deployed on probably some hundred systems or more.
While this vuln is probably currently not being exploited,
it's possible to install workarounds right now,
therefore this information is published.


Summary:

In common setups of wwwisis, query parameters can be forged
to have wwwisis execute any (shell) command and display any
readable file as allowed for the user of the cgi process.
Vulnerability can be avoided with careful setup.


Description:

Input parameters from query string are not checked for bad input.
In common plain-vanilla setups such as the examples in the manual,
it is possible to have the process execute any format as sent by the
remote user. The formatting language has some too powerful functions.
There is also an alternate attack possibility abusing PATH_INFO.


Impact:

Ability to execute any command and get any file as allowed for
the cgi process.


Exploits:

Since there is not yet a fix published,
and the vuln is probably currently not being exploited,
details are to follow at a later time.


Workaround:

Avoid wwwisis being called directly -- wrap it up in a perl -t script.
Wipe out any suspicious stuff from query params, clean up the ENV,
then exec wwwisis with a list of params. Read the perlsec manpage.


Vendor Status:

Bireme will check it out.