Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web BBS :: etc :: hack2589.htm

CGIForum, CGINews issues
Issues In CGINews and CGIForum

Vendor  : Markus Triska

URL     : 

Version : 1.07 And Possible Earlier & CGIForum 1.09

Risk    : Weak Encryption & Info Disclosure


CGINews is a multi-user Web site news posting system written in Perl. 

Main features include: adding, updating, and deleting news entries, 

multi-user functionality, sections, access levels, logs, 

highly-configurable layout, file upload, binary attachments and more.

Weak Password Encryption:

The CGI News program does not use DES, MD5 or any other one way crypt

algorithm. It instead uses a weak, decryptable method. Below is a script

that can easily decrypt the passwords found in the programs *.pwl files.

This issue is also present in CGIForum 1.09 by Markus Triska and can be 

used to decode CGIForum password files as well. 

Information Disclosure Vulnerability:

By default the users log files are viewable. username/username.log The only

files not viewable by default are the .pwl files

Sat Dec 13 21:06:37 2003: jeiar changed password.

Sat Dec 13 21:10:21 2003: jeiar changed E-Mail/Syntax: test@blah/jeiar. 

Sat Dec 13 21:10:54 2003: jeiar tried to change password.

Sat Dec 13 21:13:59 2003: jeiar uploaded file: C:\cmd.exe

Sat Dec 13 21:31:38 2003: jeiar uploaded file: C:\


You can add your own DES or MD5 encryption if you are familiar with PERL, and to

solve the logfile problem simply add a .htaccess file that makes the directory

not viewable. For example

AuthType Basic

AuthName "No access"

AuthUserFile .htnopasswd

AuthGroupFile /dev/null

Require valid-user

The author plans on including this type of .htaccess file in future versions, but 

does not have any plans on changing or strengthening the encryption method.


Credits go to JeiAr of the GulfTech Security Research Team. 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH