COMMAND
bbs_forum.cgi
SYSTEMS AFFECTED
bbs_forum.cgi 1.0 (Others unknown)
PROBLEM
Following is based on a Cgi Security Advisory #3.1. Any file can
be read with the permissions of user nobody(or webserver).
Possible root comprimise in bbs_forum.cgi script. Command
execution is allowed and therefore shell spawning is possible.
This has been tested on unix and linux systems only and it is
unknown if windows versions exist and/or are effected.
One thing to be noted about this hole is that perl was in taint
mode, and still allowed files to be read, and commands to be
executed. This was not originally intended. This is proof that
perl -t is not always enough.
Example:
www.host.com/cgi-bin/bbs_forum.cgi?forum=<valid forum name>&read=../bbs_forum.cgi
Will grab the scripts own sourcecode. Note: In order for this
hole to work a valid forum name must be used, so simply trying to
call read= only may not work.
Here are some clarification to the remote execution versus remote
file reading portion of the advisory:
1) Very old versions of bbs_forum.cgi suffered from ability to
execute commands through lack of input handling.
This was fixed several years ago two-fold: (1) adding taint
mode and (2) tightening perl's open() commands so that the file
operator (eg <) were included literally instead of relying on
the default open operator being "open for read".
Part of this advisory was written from testing this
pre-taintmode version of the script.
2) However, taintmode does not check user input for reading files.
So a directory traversal/arbitrary file reading bug remained in
the read parameter when used in conjunction with several other
input parameters as stated below.
In summary, those people running a version of bbs_forum.cgi
without taintmode are running a really old version and should
upgrade completely as they've ignored our prior security alerts.
Those people who do have taintmode enabled in the script can
safely assume the patch below is the only patch they require.
SOLUTION
The vendor has been contacted about this serious security problem.
Please visit the vendor's website for patches and other important
information.
If you have made extensive modifications to bbs_forum.cgi and do
not wish to start over from scratch, search for the line at the
start of bbs_forum.cgi that says
&ReadParse;
And insert afterwards the following:
if ($in{'read'} && $in{'read'} !~ /^\d+-\d+\.msg$/i)
{
print "Invalid Message #";
die("Invalid Message # provided: " .
$in{'read'});
}
if ($in{'reply_to_message'} &&
$in{'reply_to_message'} !~ /^\d+-\d+\.msg$/i) {
print "Invalid Reply To Message #";
die("Invalid Reply To Message # provided: " .
$in{'reply_to_message'});
}
This code assures the script that the message file form variables
can only consist of the strict filename format of digits followed
by a hyphen followed by some digits followed by the literal string
".msg".