WWWIsis Search Engine CGI Allows Remote Users to Execute Commands and View Files on the System
|
Date: Mar 29 2002
|
Impact: Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, User access via network
|
Version(s): 3.45, possibly others
|
Description: A vulnerability was reported in the WWWIsis CGI interface software for ISIS databases. A remote user can execute arbitrary commands on the system and can view arbitrary files.
It is reported that a remote user can forge certain query parameters to cause the WWWIsis CGI code to execute arbitrary shell commands
or display any file that is readable by the CGI process. According to the report, this can be avoided through careful configuration
of the script. However, the examples provided in the manual will leave the configuration vulnerable.
No further details were
provided.
The vendor has reportedly been notified.
|
Impact: A remote user can execute arbitrary shell commands on the server and can view files on the server that are readable by the CGI process.
|
Solution: No solution was available at the time of this entry.
The author of the report has provided the following recommendations:
"Avoid
wwwisis being called directly -- wrap it up in a perl -t script. Wipe out any suspicious stuff from query params, clean up the ENV,
then exec wwwisis with a list of params. Read the perlsec manpage."
|
Vendor URL: www.bireme.br/isis/I/wwwi.htm (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Klaus Ripke <krip@openisis.org>
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 28 Mar 2002 17:26:57 +0100
From: Klaus Ripke <krip@openisis.org>
Subject: [VulnWatch] vuln in wwwisis: remote command execution and get files
|
Name : wwwisis remote command execution and get files
Software Package : wwwisis
possibly affected : JavaISIS and other tools based on wwwisis
Vendor Homepage : http://www.bireme.br/isis/I/wwwi.htm
Vulnerable Versions: 3.45 verified, probably others
Platforms : Linux verified, probably others
Vulnerability Type : Input Validation Error
Vendor Contacted : 28 Feb 2002
Vendor Replied : 01 Mar 2002
CONTACT INFORMATION
===============================================================================
Name : Klaus Ripke
E-mail : krip@openisis.org
Vendor contact name : Abel Laerte Packer
Vendor contact e-mail : abel@brm.bireme.br
TECHNICAL INFO
===============================================================================
Introduction:
wwwisis runs as cgi to query mostly bibliographical databases.
Deployed on probably some hundred systems or more.
While this vuln is probably currently not being exploited,
it's possible to install workarounds right now,
therefore this information is published.
Summary:
In common setups of wwwisis, query parameters can be forged
to have wwwisis execute any (shell) command and display any
readable file as allowed for the user of the cgi process.
Vulnerability can be avoided with careful setup.
Description:
Input parameters from query string are not checked for bad input.
In common plain-vanilla setups such as the examples in the manual,
it is possible to have the process execute any format as sent by the
remote user. The formatting language has some too powerful functions.
There is also an alternate attack possibility abusing PATH_INFO.
Impact:
Ability to execute any command and get any file as allowed for
the cgi process.
Exploits:
Since there is not yet a fix published,
and the vuln is probably currently not being exploited,
details are to follow at a later time.
Workaround:
Avoid wwwisis being called directly -- wrap it up in a perl -t script.
Wipe out any suspicious stuff from query params, clean up the ENV,
then exec wwwisis with a list of params. Read the perlsec manpage.
Vendor Status:
Bireme will check it out.
|
|
