COMMAND

    News Desk

SYSTEMS AFFECTED

    News Desk 1.2

PROBLEM

    Following is  based on  a B10Z  Security Advisory.   News Desk 1.2
    (newsdesk.cgi) is  a news  submission script  which is  written in
    perl and  allows someone  on a  remote computer  to connect to the
    server and post news  submissions without logging into  the actual
    server.  By logging into the cgi with a custom login and  password
    (pass.txt) the admin is able  to post the latest headline  news to
    his/her website with ease.

    Adding the string "/../" to an URL allows an attacker to view  any
    file on the  server, and also  list directories within  the server
    which the owner of the vulnerable httpd has permissions to access.

    Examples:

        http://www.VULNERABLE.com/cgi-bin/newsdesk.cgi?t=../../../../etc/passwd

    Will obviously open the passwd file, if unshadowed.

        http://www.VULNERABLE.com/cgi-bin/newsdesk.cgi?t=../pass.txt

    Will open the password  string which can be  used to login to  the
    newsdesk.cgi  and  post  new  news,  or with special variables the
    ability to  upload/post html  to the  htdoc's directory,  possibly
    leading to a defacement of the webpage.

        http://www.VULNERABLE.com/cgi-bin/newsdesk.cgi?t=../../../../etc/

    Will obviously  list the  /etc/ directory.   Not all  servers will
    list directories, but most apear to.

    Note: It depends on where they install newsdesk.cgi, not always in
    a cgi-bin, so  it could be  installed with any  path.  Just  go to
    your favorite search engine and search for newsdesk.cgi and voila.
    There is also  some other variants  of this cgi  script out there,
    most of them are noticeable by the

        news.cgi?a=something&t=meow.html

    format.   Notice  the  a=  &  t=  which  is  a  clear give-away to
    Newsdesk.

    'zenomorph' contributed  following.   Remote command  execution is
    possible on  most sites  if you  use the  correct directory syntax
    such  as  ../../../bin/ls%20/|  is  a  working  example, many more
    commands are possible if  you play around with  it a bit, such  as
    spawning xterms.

SOLUTION

    Vendor has been contacted and will release a updated version which
    is supposed to be more secure...