COMMAND

    w3-msql

SYSTEMS AFFECTED

    msql v2.0.11

PROBLEM

    Gregory Duchemin after installation of the the evaluation  version
    of  the  last  w3-msql  release  (2.0.11)  with  its  new security
    mechanism found following.   There is effectively this  new option
    "Force_Suffix" in  msql.conf that  force msql  server to  take its
    documents inside its private root instead of server's one.

    The cgi is actually still vulnerable because of numerous lacks  in
    sources (take a look at storeArgs() in w3-msql.c).  It's  possible
    with a buffer  overflow attack to  gain web server  priviledge and
    modify remotly server content.  Test it:

        http://www.victim.com/cgi-bin/w3-msql/AAAAAAAAA.......AAAAA

    With about  a 200  chars length  filename, the  server response is
    "Internal Server Error" and the cgi  produce a core file.  With  a
    carrefully  forged  string   including  code  instructions,   it's
    possible to force remote server to execute arbitrary code.

SOLUTION

    Nothing yet.