Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
DCScript's DCForum Web Messaging Board Software Allows Remote Users to Cause the Software to Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1001332 |
|
SecurityTracker URL: http://securitytracker.com/id/1001332
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 17 2001
|
Impact:
Execution of arbitrary code via network, User access via network
|
|
Version(s): DCForum 2000 1.0
|
Description:
qDefense released an advisory (QDAV-5-2000-1) for DCScript's DCForum web messaging software, warning that it allows a remote user to gain read, write, and execute privileges via the server application.
DCForum reportedly contains several vulnerabilities.
In the file dcboard.cgi, the following line is specified: "require <prefix><az hidden form field><suffix>;". The Perl statement "require EXPR" will open the file EXPR, parse it, and execute the contents as regular perl. A remote user can upload a file containing Perl commands to the server and cause the file to be executed by setting the "az" field to the name of the file uploaded to the server.
Furthermore, no input checking is performed on the "az" field. As a result, a remote user can used double dots to undo the prefix and a %00 to truncate off the suffix. This allows the remote user to specify any Perl file on the server for execution.
DCForum by default allows any user to upload any file by setting "az=upload_file".
|
Impact:
A remote user can cause arbitrary code to be executed by the DCForum application.
|
Solution:
No solution was available at the time of this entry. The advisory lists some interim measures. See the source message for details.
|
Vendor URL: www.dcscripts.com/dcforum.shtml (Links to External Site)
|
Cause:
Input validation error, State error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (NT), Windows (2000)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 16 Apr 2001 21:30:24 -0400
Subject: qDefense Advisory: DCForum allows remote read/write/execute
|
qDefense Advisory Number QDAV-5-2000-1
Product: DCForum
Vendor: DCScripts (www.dcscripts.com)
Version Tested: DCForum 2000 1.0
Severity: Any remote attacker may gain read/write/execute privilleges
Cause: Failure to validate input; Trust of hidden fields; Allows uploading
of arbitrary files by default
Solution: Provided here
DCForum is a popular CGI to create message boards on web sites.
It contains, however, a number of serious vulnerabilities.
In line 121 of file dcboard.cgi, there is a line "require <prefix><az
hidden form field><suffix>;". (The exact line was not quoted do to
copyright limitations.)
The perl statement "require EXPR" will open the file EXPR, parse it, and
execute it, as regular perl, as if the entire contents of that
file appeared at that point. Therefore, an attacker who writes a file
containing perl commands to the server will be able to execute
them by setting the az field to the name of his file on the server.
To make matters worse, no input checking is done on the az field, so as
long the file is located anywhere on the server, an attacker
can reference it, using double dots to undo the prefix and a %00 to
truncate off the suffix.
Getting the file onto the server is no problem either. DCForum, by default,
allows any user to upload any file, by setting
az=upload_file. However, there are other ways of getting files onto the
server, so even servers that disable uploading are vulnerable.
Solution:
Patch dcboard.cgi to remove double dots and poison nulls
Disable uploading
(Note: this solution by no means ensures DCForum's security; it merely is a
band-aid for this vulnerability)
Franklin DeMatto
franklin@qDefense.com
qDefense - DEFENDING THE ELECTRONIC FRONTIER
|
|
Go to the Top of This SecurityTracker Archive Page
|
