Fw: CERT Vendor-Initiated Bulletin VB-97.02 - Guestbook Script Vulberability

Gerry Smith ( gsmith@dnc.net )
Thu, 24 Apr 1997 17:30:22 -0700

----------
> From: CERT Bulletin <cert-advisory@cert.org>
> To: cert-advisory@cert.org
> Subject: CERT Vendor-Initiated Bulletin VB-97.02 - Guestbook Script Vul
> Date: Thursday, April 24, 1997 1:40 PM
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
============================================================================
=
> CERT* Vendor-Initiated Bulletin VB-97.02
> April 24, 1997
>
> Topic: Security Hole in Guestbook Script for Web Servers Using SSI
> Source: Selena Sol
>
> To aid in the wide distribution of essential security information, the
> CERT Coordination Center is forwarding the following information from
> Selena Sol, who urges you to act on this information as soon as
> possible. Contact information is included in the forwarded text below;
please
> contact Selena Sol if you have any questions or need further information.
>
> =======================FORWARDED TEXT STARTS
HERE============================
>
> Problem: Vulnerability in all versions of Selena Sol's Guestbook
>
> I. Description
>
> Guestbook applications allow a person browsing a web site to "sign" an
> electronic guestbook and leave an appropriate message. A guestbook CGI
script
> is freely available by Selena Sol at the following URL:
>
> http://www.eff.org/~erict/Scripts/guestbook.html
>
> All versions of this program have a vulnerability that under certain
> conditions allows a remote user to execute arbitrary commands on the
server
> as the user id of the httpd daemon. These conditions are:
>
> - the server allow Server Side Includes (SSI) on the directory in
> which the guestbook is located, and,
>
> - the guestbook application allows the remote user to write HTML
> tags into the Comment field of the guestbook, and,
>
> - the guestbook application does not filter appropriate HTML
tags.
>
>
> II. Impact
>
> Remote users may be able to execute arbitrary commands on the web server
as
> the uid of the httpd daemon.
>
>
> III. Solution
>
> Sites using this application should either update their guestbook to the
> current version or implement the following steps as appropriate to the
> version they are using. Note that this may mean changing default values
within
> the application.
>
> (a) Disable SSI on the directory in which the guestbook application
writes
> its data. See your WWW server documentation for details.
>
> (b) Filter HTML tags that can be used to process arbitrary local data:
>
> $ diff -c guestbook.cgi.old guestbook.cgi
> *** guestbook.cgi.old Mon Apr 21 15:52:39 1997
> --- guestbook.cgi Mon Apr 21 16:07:45 1997
> ***************
> *** 88,108 ****
>
> @form_variables = keys (%form_data);
>
> ! # For every variable sent to us from the form, and for each word in
our
> ! # list of bad words, replace (=~ s/) any occurrence, case
insensitively
> ! # (/gi) of the bad word ($word) with the word censored.
> ! # $form_data{$variable} should be equal to what the client filled in
in
> ! # the input boxes...
> #
> ! # Further, if the admin has set allow_html to 0, (!= 1) it means
that she
> ! # does not want the users to be able to use HTML tags...so, delete
them.
>
> foreach $variable (@form_variables)
> {
> foreach $word (@bad_words)
> {
> $form_data{$variable} =~ s/\b$word\b/censored/gi;
> }
> if ($allow_html != "yes")
> {
> $form_data{$variable} =~ s/<([^>]|\n)*>//g;
> --- 88,121 ----
>
> @form_variables = keys (%form_data);
>
> ! # For every variable sent to us from the form, filter HTML tags
> ! # that we do not allow regardless of configuration.
> #
> ! # Also, for each word in our list of bad words, replace (=~ s/)
> ! # any occurrence, case insensitively (/gi) of the bad word ($word)
> ! # with the word censored. $form_data{$variable} should be equal
> ! # to what the client filled in in the input boxes...
> ! #
> ! # Further, if the admin has set allow_html to 0, (!= 1) it means
> ! # that she does not want the users to be able to use HTML tags...so,

> ! # delete them.
>
> foreach $variable (@form_variables)
> {
> +
> + # Strip non-negotiable HTML.
> + # Un-Webify plus signs and %-encoding
> + $form_data{$variable} =~ tr/+/ /;
> + $form_data{$variable} =~
s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
> + $form_data{$variable} =~ $value =~ s/<!--(.|\n)*-->//g;
> +
> + # Replace bad words.
> foreach $word (@bad_words)
> {
> $form_data{$variable} =~ s/\b$word\b/censored/gi;
> }
> +
> + # Strip ALL HTML if configured this way.
> if ($allow_html != "yes")
> {
> $form_data{$variable} =~ s/<([^>]|\n)*>//g;
>
>
> (c) If you do not wish to allow guests to leave HTML tags at all, disable
> the use of HTML tags in the guestbook by setting appropriate
configuration
> variables. You can do this by changing the following line in
> guestbook.setup:
>
> $ diff -c guestbook.setup.old guestbook.setup
> *** guestbook.setup.old Wed Aug 14 16:28:13 1996
> --- guestbook.setup Mon Apr 21 15:51:20 1997
> ***************
> *** 16,22 ****
>
> $remote_mail = "yes"
>
> ! $allow_html = yes;
>
> @required_fields = ("realname", "comments");
>
> --- 16,22 ----
>
> $remote_mail = "yes"
>
> ! $allow_html = no;
>
> @required_fields = ("realname", "comments");
>
>
>
> For more information, contact Selena Sol at selena@eff.org
>
> ========================FORWARDED TEXT ENDS
HERE=============================
>
> If you believe that your system has been compromised, contact the CERT
> Coordination Center or your representative in the Forum of Incident
Response
> and Security Teams (FIRST). See http://www.first.org/team-info/.
>
> We strongly urge you to encrypt any sensitive information you send by
email.
> The CERT Coordination Center can support a shared DES key and PGP.
Contact
> the CERT staff for more information.
>
> Location of CERT PGP key
> ftp://info.cert.org/pub/CERT_PGP.key
>
>
> CERT Contact Information
> - ------------------------
> Email cert@cert.org
>
> Phone +1 412-268-7090 (24-hour hotline)
> CERT personnel answer 8:30-5:00 p.m. EST
> (GMT-5)/EDT(GMT-4), and are on call for
> emergencies during other hours.
>
> Fax +1 412-268-6989
>
> Postal address
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> USA
>
> CERT publications, information about FIRST representatives, and other
> security-related information are available from
> http://www.cert.org/
> ftp://info.cert.org/pub/
>
> CERT advisories and bulletins are also posted on the USENET newsgroup
> comp.security.announce
>
> To be added to our mailing list for CERT advisories and bulletins, send
your
> email address to
> cert-advisory-request@cert.org
> In the subject line, type
> SUBSCRIBE your-email-address
>
>
>
> * Registered U.S. Patent and Trademark Office.
>
> The CERT Coordination Center is part of the Software Engineering
> Institute (SEI). The SEI is sponsored by the U. S. Department of Defense.
>
>
> This file: ftp://info.cert.org/pub/cert_bulletins/VB-97.02.sol_guestbook
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
>
> iQCVAwUBM1+00XVP+x0t4w7BAQGLVAP/U/yiJ5LLMQ2emOvK2DX81eDkAZ3hYh8A
> WRgC/zM4L48KOf+yWjBRF9C76wI20Jm3gdP3YfcX4uyklo+xMtN5ZioTYuofVgmA
> sbdOuZTMwg6t44T8nY+L2zIrnp5YyTeZJSZeJUwb6bX/pgub21M0iC+ywXZ+6wFe
> 5slK5NOGCf4=
> =apLR
> -----END PGP SIGNATURE-----