sbox May Disclose Installation Path and User Account Paths to Remote Users
|
|
SecurityTracker Alert ID: 1007818
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 26 2003
|
Impact: Disclosure of system information, Disclosure of user information
|
Version(s): 1.04
|
Description: A vulnerability was reported in 'sbox'. A remote user can determine the installation path and the path to various user cgi scripts.
EightOne Research Facility reported that a remote user can submit an HTTP query for a '/cgi-bin' script that does not exist to cause
the server to display the installation path. A demonstration exploit URL is provided:
http://[target]/cgi-bin/non-existent.pl
Because
sbox is used to allow a less-privileged user to host a cgi script in the user's own directory (but still be executed via the web
server), the path that is disclosed may contain the user's account name (e.g., "/home/[username]/cgi-bin/non-existent.pl").
The
vendor has reportedly been notified.
|
Impact: A remote user can determine the installation path. A remote user may also be able to determine the user account name of users that host cgi scripts on the target server.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: stein.cshl.org/WWW/software/sbox/ (Links to External Site)
|
Cause: Exception handling error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: Julio e2fsck Cesar <e2fsck@bol.com.br>
|
Message History:
None.
|
Source Message Contents
|
Date: 25 Sep 2003 17:35:35 -0000
From: Julio e2fsck Cesar <e2fsck@bol.com.br>
Subject: EORF2003-04: sbox path disclosure problem
|
---------------------------
EightOne Research Facility
---------------------------
EORF2003-04 (security advisory)
Title: sbox has a information disclosure problems
Author: Julio "e2fsck" Cesar
Vendor: http://stein.cshl.org/WWW/software/sbox
Versions: sbox 1.04 and later
Date: 18 Sep 2003
1. Description
sbox is a CGI wrapper that allows CGIs to be executed more safely. What
sbox does is "box" the CGI script into a secure enviroment and run it.
EightOne Research Facility has discovered a path disclosure problem in
sbox, which allows malicious users to know the physical path of the server
and the username of the domain.
2. Details
When a user makes a request to /cgi-bin directory, sbox intermediates
this query and executes the CGI script in a restricted enviroment, but before
this execution, it makes some checking such as CGI scripts in world-writable
directories. When a query to a non-existent script in /cgi-bin is made, sbox
display an error that reveals some information that shouldn't be revealed,
such as physical path.
Here is an example: http://your.vulnerable.site/cgi-bin/non-existent.pl
and look what we get
-- snip --
Sbox Error
The sbox program encountered an error while processing this request.
Please note the time of the error, anything you might have been doing at
the time to trigger the problem, and forward the information to this
site's Webmaster (root@your.vulnerable.site).
Stat failed. /home/jcf/cgi-bin/a.pl: No such file or directory
sbox version 1.04
$Id: sbox.c,v 1.9 2000/03/28 20:12:40 lstein Exp $
-- unsnip --
It revealed the username of the domain and the physical path of cgi-bin
directory. And is possible to use the gotten username to make brute force
attacks to guess the user's password to obtain unauthorized access.
3. Solution
Stein Laboratory has been contacted but I haven't received any reply yet.
Thanks Despise for being this cool guy and helped us when we needed.
Sorry if there are english mistakes.
Regards,
members of EightOne.
EightOne Research Facility - http://eightone.mafiadodiva.org
Recife, PE, Brazil
|
|
