From olle.segerdahl@DEFCOM-SEC.COM Mon Sep 11 16:55:55 2000 From: Olle Segerdahl To: BUGTRAQ@SECURITYFOCUS.COM Date: Mon, 11 Sep 2000 09:38:58 +0200 Subject: [BUGTRAQ] SCO scohelhttp documentation webserver exposes local files -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ====================================================================== Defcom Labs Advisory def-2000-01 UnixWare 7 scohelphttp exposes local files Author: Olle Segerdahl Release Date: 2000-09-11 ====================================================================== - ------------------------=[Brief Description]=------------------------- The search function "/search97cgi/vtopic" used by the UnixWare 7 "scohelphttp" webserver (tcp port 457) contains a bug that lets anyone with access to scohelphttp view any world-readable file on the host. - ------------------------=[Affected Systems]=-------------------------- SCO UnixWare 7 with "scohelphttp" enabled (default install) Possibly other applications using the same, or similar, search97 code. - ----------------------=[Detailed Description]=------------------------ The view function of the searcg97cgi/vtopic cgi has a parameter called ViewTemplate that specifies an HTML template file for search results. (http://unixware7box:457/search97cgi/vtopic?action=view&ViewTemplate=) The contents of this variable is not checked for "/../" paths, thus enabling anyone to view any file readable to the webserver process. The webserver runs as user "nobody" by default, limiting the accesible files to files that are "world readable" (/etc/passwd not /etc/shadow). - ---------------------------=[Workaround]=----------------------------- Run the following commands (as root): /usr/ns-home/httpd-scohelphttp/stop /usr/ns-home/httpd-scohelphttp/disable To stop and disable the scohelphttp webserver. Await fix from SCO. - -------------------------=[Vendor Response]=-------------------------- This issue was brought to SCO's attention on the 18th of July and was assigned the ID SCO-375377. I have, at the time of this release, not yet been informed by SCO of any adequate fix for this problem, either existing or forthcoming. Their initial response to my report was (verbatim): "The search function you refer to is part of the documentation search facility on a UnixWare 7 system that has scohelphttp(X1M), the man and scohelp document server, configured and enabled. Disabling scohelphttp(X1M) will remove the ability to access man pages and the schelp online help facility on the system. I do consider this to be a bug in scohelphttp(X1M) and I have raised this issue with out Engineering group to see if there is a workaround to the problem. If there is no workaround, I will escalate the issue to be fixed." On the 31st July I was proposed a fix involving substituting the vtopic cgi with a shell script wrapper that checked for a dot or a slash (using "if echo $QUERY_STRING | egrep '(Template=\.|Template=/)'" ) in the first character of the ViewTemplate variable and then ran the original (unfixed) vtopic cgi. My reply was that this fix was not only inadequate, I also considered it to be worse than the original, introducing new problems with shell meta characters in $QUERY_STRING. The last communication I recieved from SCO was on August the 8th : "The search97cgi binary is the problem and I have conveyed a message to the engineers responsible that the workaround is not acceptable. As soon as I have any further news of a solution I will let you know." ====================================================================== This release was brought to you by Defcom Labs of Defcom Security labs@defcom-sec.com www.defcom-sec.com ====================================================================== -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.3 iQA/AwUBObx6KirHKk9f1Vz/EQIJhgCfV8LpVHwASzToX3zYiexMoMIsI0IAoLoT RcCv5O1XIz7g/yW2VGgU41Ec =20zn -----END PGP SIGNATURE-----