COMMAND

    Cosmo Create

SYSTEMS AFFECTED

    IRIX systems running Cosmo Create 1.0 and 1.0.1

PROBLEM

    Cosmo Create 1.0  and 1.0.1 allow  you to dump  a boilerplate Perl
    CGI script from  the Form Tool  Script dialog. On  line 33 of  the
    script is the line:

        eval("\$$key = \"$value\"");

    This line introduces a security hole in the script. The purpose of
    the  line  was  to  allow  form  variable  to  be accessed as Perl
    variables.   The  boilerplate  script  did  not  make  use of this
    feature; it was purely  a convenience. The script  actually refers
    to  form  variable  using   the  $form  associative  array   (e.g.
    $form{'checkbox'}).

    Note that in order to be vulnerable to this security hole you must
    have explicitly  asked Cosmo  Create 1.0  or 1.0.1  to generate  a
    boilerplate CGI script and that script with the above 'eval'  line
    must be in service on a web server.  Credit for this goes to Baron
    Roberts.

SOLUTION

    This security  hole has  been fixed  and will  be in  the upcoming
    1.0.2 release of Cosmo Create.

    If you have a form script  generated by Cosmo Create 1.0 or  1.0.1
    check for the 'eval' line above.  If this line is found remove  it
    and refer to all form variables using the $form{'<variable name>'}
    syntax.