COMMAND

    Count.cgi (wwwcount)

SYSTEMS AFFECTED

    Systems running Muhammad A. Muquit's wwwcount v2.3

PROBLEM

    Razvan  Dragomirescu  has  found  a  vulnerability  in Muhammad A.
    Muquit's wwwcount version  2.3 which allows  remote users to  read
    any GIF file  on the server,  regardless of HTTP  permissions set.
    The file must be readable by the user running the HTTP server  and
    it can be anywhere on the  disk (not only under the HTTP  daemon's
    document root directory).

    Using an URL like:

    http://attacked.host.com/cgi-bin/Count.cgi?display=image&image=../../../../../../path_to_gif/file.gif

    you can see (and download) any GIF image on the server.  You can't
    use this to download other  file types because the program  checks
    the file format.

    The use for this is not  yet very clear, but some companies  might
    have sensitive information in GIF files (charts, drafts etc.). And
    of course,  this is  heaven for  XXX site  hunters who  can bypass
    user-level authentication and download the image if they know  the
    name and the path.

    You can find information about wwwcount at:

        http://www.fccc.edu/users/muquit/Count.html

SOLUTION

    It appears  that the  bug is  present ONLY  in version  2.3. Older
    versions do  not have  it.   For those  who wants  to to keep this
    version, there  is rather  stupid fix  which disables  images.   I
    guess if you  don't run XXX  site then this  as temporary solution
    is  good.    Temporary  fix   is  to   apply  something   like  to
    wwwcount2.3/main.c (Edheldil):

              case SHOW_GIF_FILE:
              {
    +             PrintHeader();
    +             StringImage("Images have been disabled");
    +             exit(1);
    +
                  if (*digit_info.gif_file == '\0')
                  {
                      PrintHeader();