COMMAND

    Auction Weaver

SYSTEMS AFFECTED

    Auction Weaver LITE 1.0 - 1.04

PROBLEM

    Steven M. Christey found following.  Auction Weaver LITE is a  CGI
    program  written  in  Perl.   It  allows  users to create and host
    auctions on their web site.

    Auction Weaver  LITE 1.0  through 1.04  was discovered  to contain
    several  vulnerabilities  that  allow  remote attackers to create,
    read,  or  delete  arbitrary  files  with  the  privileges  of the
    Auction Weaver process.  These vulnerabilities are different  than
    the  ones  described  by  Meliksah  Ozoral  and  teleh0r  that are
    available from  previous Auction  Weaver advisories  on this page.
    All of  the vulnerabilities  are commonly  found in  CGI scripting
    programs.

    These vulnerabilities were successfully exploited using a  default
    installation of Auction Weaver on  a Solaris 7 box.   However, all
    platforms are vulnerable.

    These  vulnerabilities   were  discovered   while  attempting   to
    determine whether  CGI Script  Center had  patched the  previously
    announced vulnerabilities.  (While some acknowledgement was posted
    on the vendor's web site, it did not provide sufficient details to
    be certain that all of the identified problems had been fixed).

    The Common Vulnerabilities and Exposures (CVE) project has assigned
    unique names to each of these vulnerabilities.  They are candidates
    for  inclusion  in  the  CVE  list,  which  standardizes names for
    security problems.  See http://cve.mitre.org/

    The Security Focus VulnHelp service has also assigned Bugtraq ID's
    to these vulnerabilities.  See http://www.securityfocus.com/vdb/

    1) File/directory  deletion  with  malicious  form  field    names
       containing ..  CVE candidate: CAN-2000-0810 Bugtraq ID: 1782

       In  Auction  Weaver  1.0  through  1.04,  a remote attacker can
       delete arbitrary directories, and  files within them, with  the
       privileges of the Auction  Weaver process.  This  vulnerability
       is due to a  lack of sanity checking  of the names of  the form
       fields.  Due  to the nature  of the bug,  files can be  deleted
       outside of the  web document root  using .. notation.   Even if
       the filenames were properly  cleansed of .. problems,  however,
       non-administrators  would  still  be  able  to  delete  auction
       information, because  the vulnerable  function is  not password
       protected.

       The extent of this  vulnerability is slightly mitigated  by the
       fact that  if the  targeted directory  contains subdirectories,
       the  script  may   fail  once  it   attempts  to  delete   that
       subdirectory.  However, it may have deleted other files  before
       reaching that subdirectory.

    2) Arbitrary  file reading  and creation  with ..  in username and
       bidfile CVE candidate: CAN-2000-0811 Bugtraq ID: 1783

       In Auction Weaver 1.0 through 1.04, a remote attacker can  read
       and create  arbitrary files  in arbitrary  directories with the
       same privileges as  the Auction Weaver  process.  The  attacker
       can not fully control the contents of the file.

       The vulnerable script does not properly cleanse two form fields
       (username  and  bidfile)  whose   values  are  later  used   in
       constructing file pathnames.   These form fields are  different
       than those described in previous  Bugtraq posts, but it is  the
       same kind of vulnerability.   An attacker can insert a  .. into
       the field's value to access files outide of the data directory.

       The scope of  the problem would  be limited to  file names with
       .dat extensions, except the program is written in Perl and does
       not filter out null characters.   Thus the attacker can  insert
       a null character at the end of the filename as specified in the
       form, effectively  bypassing the  .dat extension  that is later
       appended to the filename.

    3) Incomplete patching of  catdir and fromfile ..  vulnerabilities
       CVE  candidate:  CAN-2000-0686  (already  assigned) Bugtraq ID:
       1630

       Auction Weaver 1.04 does not completely fix the vulnerabilities
       in the "catdir" and "fromfile" form fields, which was described
       by  Meliksah  Ozoral.   As  originally  described, these fields
       allowed file reading; however, they also allow file deletion.

       In version 1.04, the regular expression for removing ".."  from
       filenames is not properly specified.  Only files in the  parent
       of the data directory can be read or deleted.  However, in  the
       default installation  of Auction  Weaver, the  parent directory
       includes the server script itself.  The script itself could  be
       deleted, or the administrative password could be read from it.

SOLUTION

    The vendor has  been notified and  a patch is  available.  Auction
    Weaver 1.05  fixes all  of the  vulnerabilities described  in this
    advisory.  Upgrade to Auction Weaver 1.05 at:

        http://www.cgiscriptcenter.com/awl/

    A  complete  workaround  is  not  possible  for the arbitrary file
    deletion problem, so users should upgrade to version 1.05.