[18667] in Athena Bugs
patch Re: path disclosure in cgiemail 1.6
daemon@ATHENA.MIT.EDU (Thomas Smith)
Thu Jan 11 21:09:59 2001
Date: Thu, 11 Jan 2001 21:09:48 -0500
From: Thomas Smith <tgs@finbar.dyndns.org>
To: cgiemail@MIT.EDU, bugs@MIT.EDU
Message-Id: <20010111210948.C3041@megafauna.finbar.dyndns.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="0H629O+sVkh21xTi"
Content-Disposition: inline
In-Reply-To: <20001228184317.B11703@megafauna.homenet>; from tgs@finbar.dyndns.org on Thu, Dec 28, 2000 at 06:43:17PM -0500
Mail-Copies-To: nobody
--0H629O+sVkh21xTi
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
(sorry bugs@mit.edu, I did not find your email
address in my original bug report, which
includes demonstrations and such. if you
like, i can send a copy to you.)
hello.
it would be nice if you applied this simple patch,
or something like it, to the sources of cgiemail.
at the very least, another short section should
be added to its webmaster guide
(http://web.mit.edu/wwwdev/cgiemail/webmaster.html).
Here's a possible quick explaination of the risk,
for that page (it should go in the "Gain
Information About the web server's host machine
that will allow them to break into the system"
section):
Cgiemail does not give users such information;
however, when compiled with DISCLOSE_PATHS
defined (not the default; you might do that to
make it easier to debug.), it will reveal the
filesystem path of any directory or any short
file. While not a serious vulnerability in
and of itself, the disclosure of this=20
information could be used by an attacker to=20
make some other attack easier or more effective.
here are my patches:
patch -p0 < this_file_saved)
--- cgi.h.in Thu Jan 11 20:24:25 2001
+++ cgi.h.in-NEW Thu Jan 11 20:23:48 2001
@@ -79,5 +79,8 @@
/* File for cgifile to append to */
#define CGI_INFILE "incoming.txt"
=20
+/* define DISCLOSE_PATHS if you want to open up a path disclosure vulnerab=
ility. */
+/* #undef DISCLOSE_PATHS */
+
#include "cgi-ptypes.h"
#endif /* _CGI_H */
--- cgilib.c Thu Jan 11 20:24:25 2001
+++ cgilib.c-NEW Thu Jan 11 20:23:43 2001
@@ -483,7 +483,11 @@
formp->errcond=3D1;
strcpy(formp->errmsg, "500 Could not open template");
cgi_concat_errno(formp->errmsg);
+#ifdef DISCLOSE_PATHS
strncpy(formp->errinfo, templatefile, CGI_ERRMSG_MAX);
+#else
+ strcpy(formp->errinfo, "Template file could not be accessed.");
+#endif /* DISCLOSE_PATHS */
return(1);
}
=20
@@ -659,7 +663,11 @@
{
formp->errcond=3D1;
strcpy(formp->errmsg, "403 No variable substitutions in template");
+#ifdef DISCLOSE_PATHS
strncpy(formp->errinfo, templatefile, CGI_ERRMSG_MAX);
+#else
+ strcpy(formp->errinfo, "Template file doesn't look like a template."=
);
+#endif /* DISCLOSE_PATHS */
return(1);
}
=20
this vuln., if nothing else, could amuse me for a good long
while. http://web.mit.edu/bin/cgiemail/wwwdev/cgiemail
shows that web.mit.edu is connected to an mit internal net
through net.mit.edu, and that the wwwdev project pages
are hosted on athena. web.mit.edu probably accesses them
using the Andrew File System. very interesting :-)
have fun,
thomas
--=20
Thomas Smith <tgs@finbar.dyndns.org> =20
http://finbar.dyndns.org/ =20
gpg key id 1024D/ACABA81E, fingerprint:
3A47 CFA5 0E5D CF4A 5B22 12D3 FF1B 84FE ACAB A81E
--0H629O+sVkh21xTi
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iEYEARECAAYFAjpeZ2wACgkQ/xuE/qyrqB73VACfYyJDl56w193XXPT+6DOqRogj
E2EAniiJYcNtcMLLNK4B+iWKbcg3z/Sp
=cdbz
-----END PGP SIGNATURE-----
--0H629O+sVkh21xTi--
