COMMAND

    cgic library

SYSTEMS AFFECTED

    Systems using cgic (mostly)

PROBLEM

    Jon  Ribbens  found  following.   Thomas  Boutell's  cgic  library
    (version 1.05) has a buffer overflow in cgiFormEntryString() which
    is almost  certainly exploitable.  (Although it  obviously depends
    on the program that has linked with cgic.)

    The  fault  is  because  he  is  checking if 'len == avail' before
    examining each input character, but if the character is not CR  or
    LF then 'len' is not  checked after outputting the LFs  but before
    outputting the character.   (i.e. it checks  that there is  1 byte
    free in the buffer, but then it can sometimes place 2 bytes in the
    buffer before  checking again).   i.e. if  'avail' is  'n' and the
    'n-1'th character is LF or CR and the 'n'th character is *not*  LF
    or CR then the character will be written at the end of the  buffer
    (because avail == sizeofbuffer-1), and then len = avail + 1. Since
    he always checks  for 'len ==  avail' rather than  'len >= avail',
    this means the overflow detection never kicks in, and the  routine
    keeps copying until the end of the input.  The attacker is free to
    copy whatever data they desire into the memory above the buffer.

    As an example, the cgictest program can be segfaulted by:

        $ REQUEST_METHOD=GET QUERY_STRING='address=<240 x letter 'A'>%0A<1000 x letter 'A'>' ./cgictest

        Content-type: text/html

        <HTML><HEAD>
        <TITLE>cgic test</TITLE></HEAD>
        <BODY><H1>cgic test</H1>
        Name: <BR>
        Address: <PRE>
        <lots of letter A's>
        Segmentation fault (core dumped)

    Oh, one other point is that the 'cgiSaferSystem' function  appears
    to be seriously misguided. It  is merely escaping the '|'  and ';'
    characters, which is of course totally inadequate.

SOLUTION

    Seems to be solved. From Thomas Boutells site take a look at:

        http://www.boutell.com/cgic/#whatsnew106

    Upgrading to version 1.06 is strongly recommended.