COMMAND

    abuse.man (webmanager kit)

SYSTEMS AFFECTED

    Linux

PROBLEM

    Guido Bakker  found following.   abuse.man is  Perl-CGI script  to
    direct the client to the specified homepage, allowing vhosts to be
    administrated with ease through the use of this webmanager kit.

    A serious  security problem  was discovered  on the  manufacturers
    webserver that allowed remote and local users to execute  arbitary
    commands on the webserver as the  uid of the httpd.  Thus,  with a
    carefully constructed url,  an attacker could  potentially exploit
    this cgi leading to a root compromise.

    abuse.man used the following absolute path as the url to bring  up
    the base page:

        http://server.com/file=/disk1/e/domain/public_html/index.html&domain=hostname.com&script=/index.html

    As we can see, $file  shows the actual server side  directory that
    the cgi and index page resides in.  The $domain has been  modified
    for security purposes, but this variable displays the vhost  name.
    The $script variable opens the default home page html file.

    Hence, by modifying  the $file variable  we could then  be allowed
    to view or execute commands as the httpd.  Eg:

        file=/disk1/e/domain/public_html/../../../../../../etc/hosts&

    Now by a carefully constructed  url, we are able to  pipe arbitary
    commands to the server, since this cgi is perl based:

	file=/disk1/e/domain/public_html/../../../../../../bin/ls+/|&

    The contents of the root directory were thus displayed.

SOLUTION

    An email was sent to the manufacturers website regarding this  bug
    in  detail,  with  information  of  how  to  fix  the problem.  By
    patching the abuse.man  cgi, the webmaster  could verify all  user
    input and use relative links  rather than absolute paths to  avoid
    this potential exploitation.