Brief description: Textcounter (1) CGI program allows remote command execution
Full description: Textcounter is a popular tool for adding hit counters to web pages. A vulnerability exists in some versions of this program that allows remote attackers to execute arbitrary commands on the hosting server with the privileges of the server process.
The code resposile for the problem usis:
# Get the page location from the DOCUMENT_URI environment variable.
$count_page = "$ENV{'DOCUMENT_URI'}";
...
if (-e "$data_dir$count_page") {
open(COUNT,"$data_dir$count_page");
The shell metacharacters in count_page are not reset.
This means that at the open,
they will be executed. Note they are not executed at the "if",
so you have to run the script twice: once to create the file
(the "if" condition being false) and again to get to the
open (the "if" condition being true).
Components: textcounter version 1.2 (perl), 1.3 (C++)
Systems:
Effect(s) of exploiting: The remote user can execute commands with the privileges of the server.
Detecting the hole:
Fixing the hole:
$count_page = "$ENV{'DOCUMENT_URI'}"; # the original 91 line ....
$count_page =~ s/([^a-z0-9])/sprintf("%%%02X",$1)/ge; # ADD THIS !!!!!
This wipes out all metacharacters.
Other information:
PA Classification(s):
RISOS Classification(s):
DCS Classification(s):
Attack:
Advisories: ISS X-Force database entry http-cgi-textcounter ; Security Focus report
Related Vulnerabilities:
Reporting: Doru Petrescu in Bugtraq (Wed, 24 Jun 1998 08:51:11 +0300 )