COMMAND

    pollit.cgi

SYSTEMS AFFECTED

    Poll_It 2.0

PROBLEM

    Elias Levy found following.   He got a copy  of the 2.0 code.   He
    hasn't set  up the  cgi but  from a  short review  this is what he
    thinks its happening:

        http://www.example.com/<cgi-dir>/pollit.cgi?admin_password=foo&entered_password=foo&action=add_option&add_option=1&=poll_options=echo+0wned>/tmp/hacked|

    Basically there is a single call  to open in Poll It v2.0  that is
    vulnerable to a pipe attack. Its the call in line 94:

        open(COPTIONS,"$poll_options");

    Notice that the  filename is not  preceded by either  "<", ">", or
    ">>" which means  if we can  control the contents  of the variable
    $poll_options we can  make the open  call execute a  shell command
    by appending or prepending a "|" character to it.

    This part of the code implements the administrative functions.  It
    can only be  reached if the  variable $admin_password is  equal to
    the variable $entered_password, if  the variable $action is  equal
    to  the  string  "add_option"  and  if the variable $add_option is
    defined.

    The variable  $admin_password is  set in  the source  code of  the
    script.   The  variable  $entered_password  is  taken from the CGI
    variables.  So are the $action and $add_option variables.

    The reason  we can  bypass all  this and  control $poll_options is
    because  in  version  2.0  of  the  script  the  CGI variables are
    converted  into  Perl  variables  by  the function ReadForm.  This
    function is called in version 2.0 after the other script variables
    are  defined.   This  means  we  can  overwrite  the internal Perl
    variables by passing appropriate CGI variables.

    Version 2.01 of the script fixes this problem by calling  ReadForm
    before   defining   some   variables.   So   we   can't  overwrite
    poll_options.

    That being said the fix still leaves several variables  vulnerable
    (they are defined before the call to ReadForm).  In particular the
    $admin_password variable is defined  before the call to  ReadForm.
    That means  an attacker  can access  the administration  screen of
    Poll It without knowing the password by using the URL such:

        http://www.example.com/<cgi dir>/pollit.cgi?load=admin&entered_password=foo&admin_password=foo

    To fix this problem mode the call to ReadForm before any variables
    are declared (e.g. line 15).

    Furthermore, the installation script  instructs users to create  a
    directory under the directory were you are installing the Poll  It
    CGI, called pollit_files,  to store data  files.  These  files are
    easily  readable.  One  file  may  be  of a sensitive nature.  The
    pollit_files/ips.txt file  lists the  IP addresses  of people that
    have  voted  in  the  poll.   Such  information  may be considered
    private and  sensitive by  individuals participating  in the poll.
    It can be downloaded via the URL:

        http://www.example.com/<dir of pollit cgi>/pollit_files/ips.txt

    At least you can't tell who voted for what.

    The cgi directory name and the  directory name of the poll it  cgi
    may change from site to site.

    Finally the  web site  www.cgi-world.com still  lists the  Poll It
    version as 2.0.  The download file name and documentation all have
    the 2.0  version number.   Only the  source file  lists a  version
    number  of  2.01.  No  where  are  there  any  warnings  about the
    vulnerability in version 2.0 or messages encouraging users of  2.0
    to upgrade to 2.01 for security reasons.

SOLUTION

    In all  the program  was written  with little  attentions paid  to
    security.    The  author   did  not   seems  to   understand   the
    ramifications of  declaring CGI  variables as  Perl variables, and
    the previous fix was incomplete.  It is not recommended anyone  to
    run this CGI script in any security sensitive environment.