Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: web5251.htm scripts remote code execution
9th Apr 2002 [SBWID-5251]

	multiple scripts remote code execution








	Steve Gustin  found  following  vulnerabilities  on  some
	scripts : distributes a number  of  free  and  commercial  perl  cgi
	scripts developed by Mike Barone and Andy Angrick. Last month  a  Remote
	Code Execution  vulnerability  was  found  in  their  csSearch  product,
	further research and information provided by  the  Vendor  has  revealed
	that four (4) additional scripts have the same vulnerability.

	These scripts are:

	 csGuestBook   - guestbook program

	 csLiveSupport - web based support/chat program

	 csNewsPro     - website news updater/editor

	 csChatRBox    - web based chat script


	These scripts stores their configuration data as perl  code  in  a  file
	called \"setup.cgi\" which is eval()uated by the script to load it  back
	into memory at runtime. Due to an Access Validation Error, any user  can
	cause configuration data to be written to  \"setup.cgi\"  and  therefore
	execute arbitrary perl code on the server.





	Configuration data is (typically) saved with the following URL.





	Note that any perl code would need to be URL encoded. A  malicious  user
	could essentially execute any arbitrary perl  code  or  shell  commands.
	Only csChatRBox was  tested  for  this  vulnerability,  however,  Vendor
	stated the other scripts were also affected.

	SysAdmins wanting to scan for affected  scripts  should  check  for  the
	following   filenames:    \"csGuestbook.cgi\",    \"csLiveSupport.cgi\",
	\"csNews.cgi\", \"csChatRBox.cgi\".





	Because of the high number of users who are using  scripts
	(over 17,000 csSearch users alone according  to  the  website)  and  the
	fact that search engines can easily be used to identify sites  with  the
	unique \"csScriptName.cgi\" script names, the risk posed by these  flaws
	is very high indeed.

	Additionally, because the  Vendor  does  not  post  version  numbers  or
	changlogs (that we could find) on their website or with their  software,
	and because the patched version  of  csChatRBox  has  the  same  version
	number of the vulnerable version (1.0), it may make  it  more  difficult
	for users to determine whether or not  their  script  is  vulnerable  or



	Vendor has released updated versions of  all  the  affected  scripts  to
	patch the flaws.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH