Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: web5440.htm

csNews.cgi path disclosure, database access, script injection, command executions



14th Jun 2002 [SBWID-5440]
COMMAND

	csNews.cgi path disclosure, database access, script  injection,  command
	executions

SYSTEMS AFFECTED

	 csNews.cgi (csNews standard)

	 csNews.cgi (csNews Pro)

	

PROBLEM

	Steve Gustin [stegus1@yahoo.com] found following:
	

	From the website \"Update and maintain articles and news items  on  your
	web  site  with  this  full-featured  and  extremely  flexible   content
	management system.\"
	

	The following issues have been found:
	

	

	 ACCESS REQUIRED : NONE

	 ================

	

	

	-  path  disclosure  vulnerability,  filepath,  ENV,  and  config   data
	displayed by errors
	

	  CSNews.cgi?command=viewnews&database=none

	

	

	

	- Database files can be  viewed/downloaded  by  accessing  the  database
	file through a browser. Note: You\'ll need to double url encode names!
	

	  \"default%2edb\"  

	

	

	

	- Database usernames  and  password  can  be  access  by  accessing  the
	database style & config file \"database.style\". Note: You\'ll  need
	to  double  url  encode  names!  \"default%2edb.style\".  Usernames   or
	passwords in this file may be viewable.
	

	

	

	

	 ACCESS REQUIRED : \"ANONYMOUS\" or \"PASSWORD PROTECTED\" Public Management 

	 ================

	

	

	

	- \"Advanced Settings\", usually  restricted  to  admin  users,  can  be
	viewed, updated and saved by accessing this URL:
	

	 

	CSNews.cgi?database=default%2edb&command=showadv&mpage=manager

	

	

	

	- Admin options, usually restricted to admin users,  can  be  viewed  by
	regular users with this url:
	

	 

	CSNews.cgi?command=manage&database=default%2edb&mpage=manager

	

	

	- \"Advanced Settings\", user can set any file or system command  to  be
	set for \'header\' and \'footer\'. This could be done  by  submitting  a
	hand crafted  form  page,  a  perl  LWP  script,  or  with  this  simple
	javascript. This example will display the setup.cgi file which  contains
	the superuser name and password.
	

	

	javascript:alert(document.form1.pheader.value=\'setup.cgi\');

	

	javascript:alert(document.form1.pfooter.value=\'setup.cgi\');

	

	

	

	- \"Advanced Settings\", any user will access to  the  advanced  setting
	(granted with anonymous  access,  user  access,  or  admin  access)  can
	execute perl and system commands by adding any of the following  to  any
	text field:
	

	  \\\"; PERL_CODE_HERE \\\"

	

SOLUTION

	Contact vendor for updated version, only allow completely trusted  users
	to access the application,  disable  access  to  .style  and  *db  files
	through Apache .htaccess files.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH