COMMAND

    DBMan (db.cgi)

SYSTEMS AFFECTED

    DBMan (db.cgi) Script

PROBLEM

    Following is based  on Black Watch  Labs Vulnerability Alert.   It
    is  estimated  that  there  are  more  than 2,000 pages containing
    links to  db.cgi.   The Gossamer  Threads site  contains a list of
    some sites that use DBMan:

        http://www.gossamer-threads.com/scripts/resources/DBMan/Sites_In_Action/

    The script allows  several environment variables  to be viewed  by
    the attacker, who can gain useful information on the site,  making
    further attacks more feasible.

    DBMan dumps useful information  (e.g. script location, HTTP  root,
    version of Perl, server_admin,  server_name, path) to the  browser
    when the database  file provided is  incorrect.  The  demo site of
    DBMan does not contain a database named no-db, thus the  following
    URL displays the environment dump:

        http://www.gossamer-threads.com/scripts/dbman/db.cgi?db=no-db

SOLUTION

    To fix, replace cgierr in db.cgi with:

    sub cgierr {
    # --------------------------------------------------------
    # Displays any errors and prints out FORM and ENVIRONMENT
    # information. Useful for debugging.
    
        if (!$html_headers_printed) {
            print "Content-type: text/html\n\n";
            $html_headers_printed = 1;
        }
        print "DBMan encountered an internal error. ";
        if ($db_debug) {
            print "<PRE>\n\nCGI
    ERROR\n==========================================\n";
            $_[0]      and print "Error Message       : $_[0]\n";
            $0         and print "Script Location     : $0\n";
            $]         and print "Perl Version        : $]\n";
            $db_setup  and print "Setup File          : $db_setup.cfg\n";
            $db_userid and print "User ID             : $db_userid\n";
            $db_uid    and print "Session ID          : $db_uid\n";
    
            print "\nForm
    Variables\n-------------------------------------------\n";
            foreach $key (sort keys %in) {
                my $space = " " x (20 - length($key));
                print "$key$space: $in{$key}\n";
            }
            print "\nEnvironment
    Variables\n-------------------------------------------\n";
            foreach $env (sort keys %ENV) {
                my $space = " " x (20 - length($env));
                print "$env$space: $ENV{$env}\n";
            }
            print "\n</PRE>";
        }
        else {
            print "Please enable debugging to view.";
        }
        exit -1;
    }

    This will only enable  the displaying of environment  variables if
    $db_debug is  turned on  in the  config file.   Users should  turn
    this off when they are done testing.