Re: CosmoCreate security bug

[aleph1 () DFW NET (Aleph One)]

From: Baron Roberts <baron () sgi com>
Date: Tue, 6 May 1997 16:33:06 -0700
Message-ID: <336FBFB2.167E () sgi com>
Newsgroups: comp.sys.sgi.bugs


Here is more info on the Cosmo Create security hole:

Problem
 -------

Cosmo Create 1.0 and 1.0.1 allow you to dump a boilerplate Perl
CGI script from the Form Tool Script dialog. On line 33 of the
script is the line:

        eval("\$$key = \"$value\"");

This line introduces a security hole in the script. The purpose of
the line was to allow form variable to be accessed as Perl variables.
The boilerplate script did not make use of this feature; it was
purely a convenience. The script actually refers to form variable
using the $form associative array (e.g. $form{'checkbox'}).

Note that in order to be vulnerable to this security hole you must
have explicitly asked Cosmo Create 1.0 or 1.0.1 to generate a
boilerplate CGI script and that script with the above 'eval' line must
be in service on a web server.

Fix
 ---

This security hole has been fixed and will be in the upcoming
1.0.2 release of Cosmo Create.

Workaround
 ----------

If you have a form script generated by Cosmo Create 1.0 or 1.0.1
check for the 'eval' line above. If this line is found remove it
and refer to all form variables using the $form{'<variable name>'}
syntax.

 --
Baron Roberts, baron () sgi com
Cosmo Engineering, SGI           http://www.sgi.com/Products/cosmo