Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
|
|
|
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
(Vendor Provides Guidance) Re: WWWIsis Search Engine CGI Allows Remote Users to Execute Commands and View Files on the System
|
Date: Apr 3 2002
|
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 3.45, possibly others
|
Description: A vulnerability was reported in the WWWIsis CGI interface software for ISIS databases. A remote user can execute arbitrary commands on the system and can view arbitrary files.
It is reported that a remote user can forge certain query parameters to cause the WWWIsis CGI code to execute arbitrary shell commands
or display any file that is readable by the CGI process. According to the report, this can be avoided through careful configuration
of the script. However, the examples provided in the manual will leave the configuration vulnerable.
No further details were
provided.
The vendor has reportedly been notified.
|
Impact: A remote user can execute arbitrary shell commands on the server and can view files on the server that are readable by the CGI process.
|
Solution: The vendor has responded that this vulnerability applies to version 3.x only. The flaw has been corrected in version 5.0. The vendor
recommends that users of affected versions upgrade to version 5.0. For users that cannot upgrade, a workaround is described in
the Source Message.
|
Vendor URL: www.bireme.br/isis/I/wwwi.htm (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: "Jorge Walters" <waltersj@bireme.ops-oms.org>
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Tue, 2 Apr 2002 20:08:08 -0300
From: "Jorge Walters" <waltersj@bireme.ops-oms.org>
Subject: RE: [VulnWatch] vuln in wwwisis: remote command execution and get files
|
Dear Mr. Ripke,
A response regarding security issues in wwwisis 3.x follows.
Should you have any comments, please do not hesitate in contact us.
Best regards,
JOrge Walters Gastelu
jorge@bireme.br
BIREME/PAHO/WHO
+---------------------------+
|WWWIsis 3.x security issue |
+---------------------------+
The security issue reported by Mr. Klaus Ripke (krip@openisis.org) exists.
It affects only wwwisis 3.x versions and does not affect later releases
(current version is 5.0).
As Mr. Ripke describes it, a security hole exists when "prolog" and/or
"epilog" parameters are passed in the query string with malicious values
such as system calls.
SOLUTION
Of course the recommended action is to upgrade wwwisis to version 5.0. It
has been completely rebuild and incorporates a lot of new features such as
XML manipulation.
For those that will not upgrade and/or need to protect legacy systems a
solution follows.
Wwwisis 3.x versions are not longer maintained and developers should take
care of the problem at application level following simple rules in using
prolog/epilog parameters.
The security issue occurs only in two situations:
a) PROLOG/EPILOG parameters are set before CGI parameter in de "somefile.in"
file.
The solution in this case is to move them at the end of the CGI declaration.
This change should not affect program's logic.
Example:
a "somefile.in" file for wwwisis:
db=/db/some
pft=@some.pft
prolog=@prolog.pft
epilog=@epilog.pft
cgi='bool=',(if v100^n='boolean' then v100^v fi)/
should be changed to:
db=/db/some
pft=@some.pft
cgi='bool=',(if v100^n='boolean' then v100^v
fi)/,'prolog=@prolog.pft'/,'epilog=@epilog.pft'/,
all in one line.
b) PROLOG/EPILOG parameters are not set.
To create wwwisis scripts without setting prolog/epilog parameters is a non
common situation. In this case, just declare the parameters as 'epilog=,'
and 'prolog=,' at the end of the CGI declaration.
Example:
a "somefile.in" file for wwwisis:
db=/db/some
pft=@some.pft
cgi='bool=',(if v100^n='boolean' then v100^v fi)/
should be changed to:
db=/db/some
pft=@some.pft
cgi='bool=',(if v100^n='boolean' then v100^v fi)/,'prolog=,'/,'epilog=,'/,
When PROLOG/EPILOG parameters are defined as indicated, there is no way to
break security through this trick. Even if someone try to redefine the
parameters via CGI Query.
-----Original Message-----
From: Abel Laerte Packer [mailto:abel@brm.bireme.br]
Sent: Tuesday, April 02, 2002 2:18 PM
To: Klaus Ripke
Cc: Bugtraq@securityfocus.com; vulnwatch@vulnwatch.org;
webappsec@securityfocus.com; cert@cert.org; jorge@brm.bireme.br
Subject: Re: [VulnWatch] vuln in wwwisis: remote command execution and
get files
Klaus., Thank you for your message. Jorge Walters who is BIREME's
Coordiantor for systems development will wirte to you soon. Regards. Abel
On Thu, 28 Mar 2002, Klaus Ripke wrote:
> Name : wwwisis remote command execution and get files
> Software Package : wwwisis
> possibly affected : JavaISIS and other tools based on wwwisis
> Vendor Homepage : http://www.bireme.br/isis/I/wwwi.htm
> Vulnerable Versions: 3.45 verified, probably others
> Platforms : Linux verified, probably others
> Vulnerability Type : Input Validation Error
> Vendor Contacted : 28 Feb 2002
> Vendor Replied : 01 Mar 2002
> CONTACT INFORMATION
============================================================================
===
> Name : Klaus Ripke
> E-mail : krip@openisis.org
> Vendor contact name : Abel Laerte Packer
> Vendor contact e-mail : abel@brm.bireme.br
> TECHNICAL INFO
============================================================================
===
> Introduction:
> wwwisis runs as cgi to query mostly bibliographical databases.
> Deployed on probably some hundred systems or more.
> While this vuln is probably currently not being exploited,
> it's possible to install workarounds right now,
> therefore this information is published.
> Summary:
> In common setups of wwwisis, query parameters can be forged
> to have wwwisis execute any (shell) command and display any
> readable file as allowed for the user of the cgi process.
> Vulnerability can be avoided with careful setup.
> Description:
> Input parameters from query string are not checked for bad input.
> In common plain-vanilla setups such as the examples in the manual,
> it is possible to have the process execute any format as sent by the
> remote user. The formatting language has some too powerful functions.
> There is also an alternate attack possibility abusing PATH_INFO.
> Impact:
> Ability to execute any command and get any file as allowed for
> the cgi process.
> Exploits:
> Since there is not yet a fix published,
> and the vuln is probably currently not being exploited,
> details are to follow at a later time.
> Workaround:
> Avoid wwwisis being called directly -- wrap it up in a perl -t script.
> Wipe out any suspicious stuff from query params, clean up the ENV,
> then exec wwwisis with a list of params. Read the perlsec manpage.
> Vendor Status:
> Bireme will check it out.
|
|
Go to the Top of This SecurityTracker Archive Page
|
