GuestBookCheck

Vulnerability Description

Brief description: Remote users may execute commands on the server, including displaying any files to which the web server has read access.

Full description: When guest book is configured to allow for HTML posts and you have enabled server-side includes for HTML, it may be possible for an attacker to embed SSI (server-side include) code in guestbook messages. The server-side includes allow for remote command execution, including displaying of any files for which the web server has read access to (see the example): 

<!--#exec cmd="cat /etc/group"
In an attempt to stop this from happening, guestbook.pl parses for SSI commands under the assumption that they are in this format: 
<-- SSI command -->
The leading "<-" does not need to be there. Apache will accept different formats, which can evade the regular expression in guestbook.pl, executing commands on the target host as they would if they were put there by the author.

Components: Matt Wright GuestBook 2.3

Systems:

Effect(s) of exploiting: A remote user can execute any command that the web server has access to, regardless of the server's access controls. The command executes with the server's privilege.

Detecting the hole:

    1. If GuestBook 2.3 is on the system, the vulnerability exists.
    2. If any guest book CGI script allows the following, you are vulnerable:
    1. the server allows server side includes on the directory in which the guest book is located;
    2. the guest book application allows the remote user to write HTML tags into the comment field of the guest book;
    3. the guestbook application does not filter appropriate HTML tags.

Fixing the hole:

    1. Turn off the guest book's comment tag, which effectively turns off the interpretation of HTML tags.
    1. In the setup file, set $allow_html = "no"
    2. Turn off the command that allows the server to execute commands through this script.
    1. In the setup file, set @bad_words = { "exec" }

Other information:

Keywords

Cataloguing

PA Classification(s):

RISOS Classification(s):

DCS Classification(s):

CVE Number: CVE-1999-0237 -- Remote execution of arbitrary commands through Guestbook CGI program.

Exploit Information

Attack: 

<!--#exec cmd="cat /etc/group"

Related Information

Advisories: BugTraq ID: 776 ; CERT:VB-97.02 gives a similar vulnerability for Selena Sol's guest book CGI script; ISS X Force's http-cgi-guestbook ; Extropia has the fixes given above

Related Vulnerabilities:

Reportage

Reporting: Blue Boar <BlueBoar@thievco.com> in BugTraq message ID: 3823D8AC.6B18A48B@thievco.com (Fri Nov 05 1999 06:28:44 )

Revision Number 1

  1. Homer Briggs (6/26/2000):
    Created entry