[Cgi Security Advisory #3.1]
                                          admin@cgisecurity.com
                                               bbs_forum.cgi



Found
January 3rd 2001

Vendor Contacted
January 3rd 2001

Public Release
January 7th 2001



Script Effected: bbs_forum.cgi
Free

Versions Effected:
1.0
(Others unknown)

Platforms
UNIX

Vendor
http://www.extropia.com
Patch
http://www.extropia.com/hacks/bbs_security0.html




1. Impact

Any file can be read with the permissions of user nobody(or webserver).
Possible root comprimise in bbs_forum.cgi script. Command execution is 
allowed and therefore shell spawning is possible. This has been tested on 
unix and linux systems only and it is unknown if windows versions exist 
and/or are effected.

One thing to be noted about this hole is that perl was in taint mode, and 
still allowed files to be read .This was not originally intended. 
This is proof that perl -t is not always enough. Command execution is 
not posible with versions that use taint mode. 
(The original bugtraq posting got sent out a before I reviewed my 
wording on this. opps!)

Example:

www.host.com/cgi-bin/bbs_forum.cgi?forum=<valid forum name>&read=../bbs_forum.cgi
Will grab the scripts own sourcecode.
Note: In order for this hole to work a valid forum name must be used,
so simply trying to call read= only may not work. 

2. Fixes

The vendor has been contacted about this serious security problem.
Please visit the vendor's website for patches and other important 
information.



3. Attached Vendor Patch

Note: This is a patch for people who know what they are doing.
Please visit http://www.extropia.com/hacks/bbs_security0.html
for information on upgrading.



********************* Vendor patch snippet **************************

If you have made extensive modifications to bbs_forum.cgi and do not wish 
to start over from scratch, search for the line at the start of 
bbs_forum.cgi that says 

                      &ReadParse;

                      And insert afterwards the following: 

                      if ($in{'read'} && $in{'read'} !~ /^\d+-\d+\.msg$/i) 
{
                          print "Invalid Message #";
                          die("Invalid Message # provided: " .
                                  $in{'read'});
                      }
                      if ($in{'reply_to_message'} && 
$in{'reply_to_message'} !~ /^\d+-\d+\.msg$/i) {
                          print "Invalid Reply To Message #";
                          die("Invalid Reply To Message # provided: " .
                                  $in{'reply_to_message'});
                      }

This code assures the script that the message file 
form variables can only consist of the strict filename format of digits 
followed by a hyphen followed by some digits followed by the literal 
string ".msg". 

We recommend updating your script as soon as possible. 
Special thanks to cgisecurity.com for pointing our the issue. 


**************************** End Patch ******************************

Published to the Public January 2001
Copyright January 2001 Cgisecurity.com