COMMAND

    DCForum

SYSTEMS AFFECTED

    DCForum 2000 1.0

PROBLEM

    Franklin DeMatto (qDefense Advisory QDAV-5-2000-1) found following
    in   DCForum   2000   1.0.    Any   remote   attacker   may   gain
    read/write/execute  privilleges.   This   may  cause  failure   to
    validate  input;  trust  of  hidden  fields;  allow  uploading  of
    arbitrary files by default.

    DCForum is a popular CGI to create message boards on web sites.

    In  line  121  of  file  dcboard.cgi,  there  is  a  line "require
    <prefix><az hidden form field><suffix>;". (The exact line was  not
    quoted do to copyright limitations.)

    The perl statement "require EXPR"  will open the file EXPR,  parse
    it, and execute it, as regular perl, as if the entire contents  of
    that file  appeared at  that point.   Therefore, an  attacker  who
    writes a file containing perl commands to the server will be  able
    to execute them by  setting the az field  to the name of  his file
    on the server.

    To make matters worse, no input checking is done on the az  field,
    so as long the file is located anywhere on the server, an attacker
    can reference it, using double dots  to undo the prefix and a  %00
    to truncate off the suffix.

    Getting the file onto the  server is no problem either.   DCForum,
    by  default,  allows  any  user  to  upload  any  file, by setting
    az=upload_file.  However,  there are other  ways of getting  files
    onto  the  server,  so  even  servers  that  disable uploading are
    vulnerable.

SOLUTION

    DCScripts  released  a  security  patch  on  3/31/2001 designed to
    address these issues:

        http://www.dcscripts.com/FAQ/sec_2001_03_31.html