From franklin@QDEFENSE.COM Tue Apr 17 06:49:24 2001
From: Franklin DeMatto <franklin@QDEFENSE.COM>
X-Sender:  (Unverified)
To: BUGTRAQ@SECURITYFOCUS.COM
Date: Mon, 16 Apr 2001 21:30:24 -0400
Subject: [BUGTRAQ] qDefense Advisory: DCForum allows remote              read/write/execute

qDefense Advisory Number QDAV-5-2000-1
Product: DCForum
Vendor: DCScripts (www.dcscripts.com)
Version Tested: DCForum 2000 1.0
Severity: Any remote attacker may gain read/write/execute privilleges
Cause: Failure to validate input; Trust of hidden fields; Allows uploading
of arbitrary files by default
Solution: Provided here

DCForum is a popular CGI to create message boards on web sites.

It contains, however, a number of serious vulnerabilities.

In line 121 of file dcboard.cgi, there is a line "require <prefix><az
hidden form field><suffix>;". (The exact line was not quoted do to
copyright limitations.)

The perl statement "require EXPR" will open the file EXPR, parse it, and
execute it, as regular perl, as if the entire contents of that
file appeared at that point. Therefore, an attacker who writes a file
containing perl commands to the server will be able to execute
them by setting the az field to the name of his file on the server.

To make matters worse, no input checking is done on the az field, so as
long the file is located anywhere on the server, an attacker
can reference it, using double dots to undo the prefix and a %00 to
truncate off the suffix.

Getting the file onto the server is no problem either. DCForum, by default,
allows any user to upload any file, by setting
az=upload_file. However, there are other ways of getting files onto the
server, so even servers that disable uploading are vulnerable.

Solution:

Patch dcboard.cgi to remove double dots and poison nulls

Disable uploading

(Note: this solution by no means ensures DCForum's security; it merely is a
band-aid for this vulnerability)
Franklin DeMatto
franklin@qDefense.com
qDefense - DEFENDING THE ELECTRONIC FRONTIER