Bugtraq mailing list archives
Re: CosmoCreate security bug
From: aleph1 () DFW NET (Aleph One)
Date: Wed, 7 May 1997 11:51:12 -0500
From: Baron Roberts <baron () sgi com> Date: Tue, 6 May 1997 16:33:06 -0700 Message-ID: <336FBFB2.167E () sgi com> Newsgroups: comp.sys.sgi.bugs Here is more info on the Cosmo Create security hole: Problem ------- Cosmo Create 1.0 and 1.0.1 allow you to dump a boilerplate Perl CGI script from the Form Tool Script dialog. On line 33 of the script is the line: eval("\$$key = \"$value\""); This line introduces a security hole in the script. The purpose of the line was to allow form variable to be accessed as Perl variables. The boilerplate script did not make use of this feature; it was purely a convenience. The script actually refers to form variable using the $form associative array (e.g. $form{'checkbox'}). Note that in order to be vulnerable to this security hole you must have explicitly asked Cosmo Create 1.0 or 1.0.1 to generate a boilerplate CGI script and that script with the above 'eval' line must be in service on a web server. Fix --- This security hole has been fixed and will be in the upcoming 1.0.2 release of Cosmo Create. Workaround ---------- If you have a form script generated by Cosmo Create 1.0 or 1.0.1 check for the 'eval' line above. If this line is found remove it and refer to all form variables using the $form{'<variable name>'} syntax. -- Baron Roberts, baron () sgi com Cosmo Engineering, SGI http://www.sgi.com/Products/cosmo
Current thread:
- Re: CosmoCreate security bug Aleph One (May 07)