COMMAND
News Desk
SYSTEMS AFFECTED
News Desk 1.2
PROBLEM
Following is based on a B10Z Security Advisory. News Desk 1.2
(newsdesk.cgi) is a news submission script which is written in
perl and allows someone on a remote computer to connect to the
server and post news submissions without logging into the actual
server. By logging into the cgi with a custom login and password
(pass.txt) the admin is able to post the latest headline news to
his/her website with ease.
Adding the string "/../" to an URL allows an attacker to view any
file on the server, and also list directories within the server
which the owner of the vulnerable httpd has permissions to access.
Examples:
http://www.VULNERABLE.com/cgi-bin/newsdesk.cgi?t=../../../../etc/passwd
Will obviously open the passwd file, if unshadowed.
http://www.VULNERABLE.com/cgi-bin/newsdesk.cgi?t=../pass.txt
Will open the password string which can be used to login to the
newsdesk.cgi and post new news, or with special variables the
ability to upload/post html to the htdoc's directory, possibly
leading to a defacement of the webpage.
http://www.VULNERABLE.com/cgi-bin/newsdesk.cgi?t=../../../../etc/
Will obviously list the /etc/ directory. Not all servers will
list directories, but most apear to.
Note: It depends on where they install newsdesk.cgi, not always in
a cgi-bin, so it could be installed with any path. Just go to
your favorite search engine and search for newsdesk.cgi and voila.
There is also some other variants of this cgi script out there,
most of them are noticeable by the
news.cgi?a=something&t=meow.html
format. Notice the a= & t= which is a clear give-away to
Newsdesk.
'zenomorph' contributed following. Remote command execution is
possible on most sites if you use the correct directory syntax
such as ../../../bin/ls%20/| is a working example, many more
commands are possible if you play around with it a bit, such as
spawning xterms.
SOLUTION
Vendor has been contacted and will release a updated version which
is supposed to be more secure...