COMMAND
cached_feed.cgi
SYSTEMS AFFECTED
Cached_Feed CGI
PROBLEM
CDI found following. Yet another CGI that lacks sufficient (or
in this case -any-) input validation, leading to the exposure of
readable files on the system.
The cached_feed CGI supplied by Moreover.com is used to retrieve
news headlines from the Moreover.com site, and then store them for
retrieval and display within your own local web site. The program
accepts two arguments on the QUERY_STRING; The news category to
retrieve, and the format the headlines should be returned in. The
two arguments are supplied to the CGI using a raw query string in
the form 'category+format' which in turn becomes $ARGV:
$category = @ARGV[0];
$format = @ARGV[1];
These two lines comprise the bulk of the data validation performed
by the CGI. Here's the flaw in the source:
# Constants
$base_dir = ".";
$cache_dir = "$base_dir/cached_newsfeeds";
$cache_file = "$cache_dir/".$category.".".$format;
And a little later on...
if ($age < $cache_time)
{
$feed = &obtain_file($cache_file);
}
The 'obtain_file' function reads the file specified and returns
it's contents. The CGI wraps up by printing the contents of the
file back to the browser. '$cache_time' defaults to 15 minutes.
This limits the functionality of the exploit a bit as the targeted
file needs to have been created or modified in the last 15
minutes.
So, if your password file has been modified within the last 15
minutes, the obvious exploit for this flaw will allow an intruder
to retrieve the file. The file will also be retrieved if the CGI
is unable to contact the Moreover server or if the Moreover server
takes longer than 30 seconds to respond. A crafty intruder could
potentially induce such a delay using a ping flood against the
victim host.
Obvious exploit:
http://victim/cgi-bin/cached_feed.cgi?../../../.+/etc/passwd
SOLUTION
Fix: Download new version 2.0:
http://w.moreover.com/dev/cache/