(Vendor Responds) Re: Agora.cgi E-Commerce System Discloses Path Names to Remote Users When in Debug Mode
|
|
SecurityTracker Alert ID: 1003545 |
|
SecurityTracker URL: http://securitytracker.com/id/1003545
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Feb 14 2002
|
Impact:
Disclosure of system information
|
Vendor Confirmed: Yes
|
|
Description:
An information disclosure vulnerability was reported in Agora.cgi. A remote user can view the path name of the Agora.cgi installation if the server is configured in debug mode.
The following type of URL can reportedly be used to trigger the vulnerability:
http://agoracgistorehost/cgi-bin/store/agora.cgi?page=non-existent-file.html
This type of URL will return the absolute path of the installation, as shown below:
ERROR:FILE OPEN ERROR-./html/pages/non-existent-file.html
FILE: /home/httpd/cgi-bin/store/agora.cgi
LINE: 1114
|
Impact:
A remote user can obtain information about the installation path of Agora.cgi on the server.
|
Solution:
The vendor has responded that the reported behavior occurs only in debug mode. For this to happen in the current release version (4.0d), debug mode must be on in the manager and an internal cart_id tracking variable must be explicitly turned on. In debug mode, the offending javascript is displayed to the browser exactly as given to the site but is properly escaped when written to the log file. According to the vendor, the 'cart_id' variable is highly filtered in normal (i.e., non-debug) mode.
The vendor warns that live stores should not be run in debug mode.
The vendor also reports that they may modify the product to escape the javascript display even in debug mode in the future version 4.0e.
|
Vendor URL: www.agoracgi.com (Links to External Site)
|
Cause:
Configuration error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: 24 Jan 2002 17:47:30 -0000
Subject: Re: Agoracgi v3.3e Cross Site Scripting Vulnerability
|
In-Reply-To: <068b01c1874a$7b1296b0$cb9c2bd5@ts>
The cart_id is a highly filtered variable, and has been from the start of this shopping
cart. Some folks were concerned about the Cross Site Scripting Vulnerability (CSS) that
have been talked about so often over the last year or so and how it related to agora.cgi.
That, combined with the desire to track errors in coding of web pages in web site
development, led us to add diagnostics in version 4.0x to display artificial changes in
the cart_id that showed when the site was in debug mode.
The vulnerability did not exist, as far as we can tell, at any time in a live store running in
non-debug, or normal, mode. In debug mode, the offending javascript is displayed to
the browser exactly as given to the site but has been escaped to the log file for security
reasons. We are probably going to escape out the javascript display even in debug
mode on 4.0e. We want to balance the needs of debug mode, where we show inner
workings to a developer, with the needs to be as secure as possible.
The current release version, 4.0d, needs to have debug mode on in the manager and
an internal cart_id tracking variable turned on explicitly to see the javascript issue. The
web site store version 4.0c displayed the javascript, as it was in debug mode and had
that cart_id variable turned on. The original post said it was version 3.3e, but the actual
cart used must have been 4.0x as 'stock' version 3.3e did not have the diagnostic code
installed.
The best thing to do is have debug mode turned off on a live store, for this or any issue
in fact. Debug mode is there to assist developers by showing errors on the browser
(instead of having to hunt for them in the log file) but by its nature can give up some
level of security, as well as make a site look and feel less attractive.
|
|
