CGIscript.net - csPassword.cgi - Multiple Vulnerabilities

[Steve Gustin <stegus1 () yahoo com>]

CGIscript.net - csPassword.cgi - Multiple
Vulnerabilities
---------------------------------------------------------------------
Date      : May 29, 2002
Product   : csPassword.cgi

Vendor    : WWW.CGIscript.NET, LLC.
Homepage  : http://www.cgiscript.net/

DISCUSSION:
---------------------------------------------------------------------
> From the website "An automated system for creating and
maintaining apache style .htaccess files to password
protect website directories."

The following issues have been found:

1) because .htpasswd files are generated in the same
folder as the .htaccess files, a web accessible
folder, it may be possible for a user who has a
password for the protected folder to download the
.htpasswd file with the usernames and passwords
(crypted) of all the other users.  Note:  The web
server would have to not otherwise restrict access to
.ht* files (some do, some don't).

2) When the program displays an error, it also display
a lot of debug information, including form input,
environment values, etc.  There's at least a "file
path disclosure" problem there, if not more.  Sample
error URL: csPassword.cgi?command=remove (They call
the &remove() function but don't define it)

3) For someone who has login access to the csPassword
program, it would be possible to insert additional
directives to the .htaccess file that is generated.
Allowing them to potentially do funky things to the
web server (redirect traffic, set scripts or data
files as viewable text files, make aliases to other
non web folders, etc, etc).  This is done by
specifying nextlines and additional chars in the title
field on the edit page.

4) When the program saves, delete, etc it's data file
it creates a "password.cgi.tmp" file that contains all
the usernames and (un-encrypted) passwords.  Depending
on your setup, this file may be readable and someone
hammering your server with requests may be able to
download it before the program can rename it over the
original.  This may be tough, but possible.
Note:  It looks as if a number of cgiscript.net's
other scripts also have this problem.


EXPLOIT: 
---------------------------------------------------------------------
An easy way to enter nextlines into the text field on
the edit page is to have your browser turn it into a
textbox for you.  In internet explorer, you can do
that by pasting this into the address bar:

javascript:void(document.form1.title.outerHTML="<textarea
name=title></textarea>");


SOLUTION
---------------------------------------------------------------------
Make sure you only allow trusted users to use the
csPassword application and make sure your web server
in configured to deny requests for .ht* and *.tmp
files.  Additionally, password protecting the
directory the csPassword program is in will prevent a
non-authorized user from viewing debug data (#2) or
downloading tmp files.


VENDOR RESPONSE
---------------------------------------------------------------------
Vendor was quick to respond.  Effected users can
receive a patch from Vendor on request.

DISCLAIMER
---------------------------------------------------------------------
The information within this document may change
without notice. Use of this information constitutes
acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. In no
event shall the author be liable for any consequences
whatsoever arising out of or in connection with the
use or spread of this information. Any use of this
information lays within the user's responsibility.


CREDIT
---------------------------------------------------------------------
Special thanks to Michael J McCafferty
(mike () m5computersecurity com) for his assistance with
this advisory.





__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com