exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

auction.weaver.txt

auction.weaver.txt
Posted Oct 19, 2000
Site mitre.org

Auction Weaver LITE 1.0 - 1.04 contains remote vulnerabilities which allow users to read any file on the filesystem, and delete arbitrary files. Fix available here.

tags | exploit, remote, arbitrary, vulnerability
SHA-256 | 7321c9d080577203ab8456a7016142136aeefd6b6f8b4e04f589c76bd7ab1aa9

auction.weaver.txt

Change Mirror Download
File deletion and other bugs in Auction Weaver LITE 1.0 - 1.04
--------------------------------------------------------------

Title: File deletion and other bugs in Auction Weaver LITE 1.0 - 1.04
Author: Steve Christey (coley@mitre.org)
Date Published: October 16, 2000

Product Name: Auction Weaver LITE
Affected Versions: 1.0 through 1.04
Affected Operating Systems: Unix and Windows NT
Product URL: http://www.cgiscriptcenter.com/awl/

Vendor Name: CGI Script Center
Vendor URL: http://www.cgiscriptcenter.com/
Vendor Email: support@cgiscriptcenter.com

Impact: delete and read arbitrary files
Remotely Exploitable: yes
Locally Exploitable: no

Patch Available: yes
Patched Version: Auction Weaver 1.05
Patch URL: http://www.cgiscriptcenter.com/awl/

Bugtraq ID's: 1782, 1783
http://www.securityfocus.com/bid/1782
http://www.securityfocus.com/bid/1783

CVE Candidate Numbers: CAN-2000-0810, CAN-2000-0811
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0810
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0811


Description
-----------

Auction Weaver LITE is a CGI program written in Perl. It allows users
to create and host auctions on their web site.

Auction Weaver LITE 1.0 through 1.04 was discovered to contain several
vulnerabilities that allow remote attackers to create, read, or delete
arbitrary files with the privileges of the Auction Weaver process.
These vulnerabilities are different than the ones described by
Meliksah Ozoral and teleh0r in several Bugtraq posts during August
2000 [see references below]. All of the vulnerabilities are commonly
found in CGI scripting programs.

These vulnerabilities were successfully exploited using a default
installation of Auction Weaver on a Solaris 7 box. However, all
platforms are vulnerable.

The vendor has been notified and a patch is available.


Solution
--------

Auction Weaver 1.05 fixes all of the vulnerabilities described in this
advisory. Upgrade to Auction Weaver 1.05 at:

http://www.cgiscriptcenter.com/awl/

A complete workaround is not possible for the arbitrary file deletion
problem, so users should upgrade to version 1.05.


Additional Vulnerability Details
--------------------------------

These vulnerabilities were discovered while attempting to determine
whether CGI Script Center had patched the previously announced
vulnerabilities. (While some acknowledgement was posted on the
vendor's web site, it did not provide sufficient details to be certain
that all of the identified problems had been fixed).

The Common Vulnerabilities and Exposures (CVE) project has assigned
unique names to each of these vulnerabilities. They are candidates
for inclusion in the CVE list, which standardizes names for security
problems. See http://cve.mitre.org/

The Security Focus VulnHelp service has also assigned Bugtraq ID's to
these vulnerabilities. See http://www.securityfocus.com/vdb/

1) File/directory deletion with malicious form field names containing ..
CVE candidate: CAN-2000-0810
Bugtraq ID: 1782

In Auction Weaver 1.0 through 1.04, a remote attacker can delete
arbitrary directories, and files within them, with the privileges of
the Auction Weaver process. This vulnerability is due to a lack of
sanity checking of the names of the form fields. Due to the nature
of the bug, files can be deleted outside of the web document root
using .. notation. Even if the filenames were properly cleansed of
.. problems, however, non-administrators would still be able to
delete auction information, because the vulnerable function is not
password protected.

The extent of this vulnerability is slightly mitigated by the fact
that if the targeted directory contains subdirectories, the script
may fail once it attempts to delete that subdirectory. However, it
may have deleted other files before reaching that subdirectory.

2) Arbitrary file reading and creation with .. in username and bidfile
CVE candidate: CAN-2000-0811
Bugtraq ID: 1783

In Auction Weaver 1.0 through 1.04, a remote attacker can read and
create arbitrary files in arbitrary directories with the same
privileges as the Auction Weaver process. The attacker can not
fully control the contents of the file.

The vulnerable script does not properly cleanse two form fields
(username and bidfile) whose values are later used in constructing
file pathnames. These form fields are different than those
described in previous Bugtraq posts, but it is the same kind of
vulnerability. An attacker can insert a .. into the field's value
to access files outide of the data directory.

The scope of the problem would be limited to file names with .dat
extensions, except the program is written in Perl and does not
filter out null characters. Thus the attacker can insert a null
character at the end of the filename as specified in the form,
effectively bypassing the .dat extension that is later appended to
the filename.

3) Incomplete patching of catdir and fromfile .. vulnerabilities
CVE candidate: CAN-2000-0686 (already assigned)
Bugtraq ID: 1630

Auction Weaver 1.04 does not completely fix the .. vulnerabilities
in the "catdir" and "fromfile" form fields, which was described by
Meliksah Ozoral in a Bugtraq post on August 23, 2000 [1]. As
originally described, these fields allowed file reading; however,
they also allow file deletion.

In version 1.04, the regular expression for removing ".." from
filenames is not properly specified. Only files in the parent of
the data directory can be read or deleted. However, in the default
installation of Auction Weaver, the parent directory includes the
server script itself. The script itself could be deleted, or the
administrative password could be read from it.


References
----------

The following vulnerabilities were discovered in earlier versions of
Auction Weaver. They are listed here to distinguish them from the new
vulnerabilities discussed in this advisory.

[1] Directory traversal in version 1.02 via catdir form field.

Bugtraq post by Meliksah Ozoral on August 23, 2000, titled
"Auction WeaverT LITE 1.0" (subject is also listed as
"=?iso-8859-9?Q?Auction_WeaverT_LITE_1.0?=" in some archives)

URL: http://www.securityfocus.com/archive/1/78458

Bugtraq ID: 1630
CVE candidate name: CAN-2000-0690

[2] Execute commands with shell metacharacters in fromfile form field
in version 1.02.

Bugtraq post by teleh0r on August 30, 2000, titled "More problems
with Auction Weaver & CGI Script Center."

URL: http://www.securityfocus.com/archive/1/79452

Bugtraq ID: 1645
CVE candidate name: CAN-2000-0687


Disclosure Process
------------------

These vulnerabilities were disclosed to the vendor, and to the public,
with guidance from Rain Forest Puppy's Issue disclosure policy (aka
RFPolicy) at http://www.wiretrip.net/rfp/policy.html. In addition,
this advisory follows emerging best practices for the responsible
disclosure of new vulnerability information.

1) VENDOR NOTIFICATION

Email was sent to the vendor at the suggested email addresses
referenced in RFPolicy, i.e.: securityalert, secure, security,
support, and info@cgiscriptcenter.com. The email provided all
known details of the vulnerabilities, including exploits and fixes.
A brief alert was also submitted to the online contact web page.

The subject header included the phrase "Serious security
vulnerabilities."

The email included contact information such as name, title,
organization, and phone number.

Guidance was provided to the vendor to ensure that the
vulnerabilities were properly patched.

2) PUBLIC NOTIFICATION

Public announcement of the vulnerabilities was delayed until the
vendor had a patch available and its customers were notified.

This advisory includes commonly used identifiers (Bugtraq ID's and
CVE candidate names) to support cross-referencing and to
distinguish these vulnerabilities from others.

The Security Focus VulnHelp service was consulted to obtain the
Bugtraq ID's. For more information or assistance in drafting
advisories, please email vulnhelp@securityfocus.com.

3) LEVEL OF DETAIL

Sufficient technical details are provided in this advisory so that
security researchers and system administrators can understand the
nature of the problems and distinguish them from similar problems.
Exploit code is not included with this advisory. However, all
exploit materials were provided to the vendor.


Event Log
---------

Sep 16, 2000:
- initial discovery
- notified vendor
- email to support@cgiscriptcenter.com and others
- short post to the online contact form

Sep 18, 2000:
- Vendor responded from both contact points (on the next business
day). Additional details provided to vendor
- Vendor disabled downloads for the vulnerable software

Sep 20, 2000:
- Sent email to vendor requesting a status update
- Received a response that the vendor is still working on fixes

Sep 21, 2000:
- Vendor email that problems have been fixed, requested clarification
- Sent clarification

Sep 22, 2000:
- Vendor submitted new version for review
- Sent additional feedback

Sep 23, 2000:
- Vendor completed fixes, sent for final review

Sep 25, 2000:
- Final review complete
- Vendor released new version
- Advisory written and sent to vendor for review
- Obtained CVE candidate names for advisory

Sep 26, 2000:
- Advisory approved by vendor

Oct 5, 2000:
- Advisory submitted to VulnHelp for review and Bugtraq ID's

Oct 12, 2000:
- Bugtraq ID's obtained from VulnHelp

Oct 16, 2000:
- Advisory submitted to Bugtraq, NTBugtraq, and CERT/CC
Login or Register to add favorites

File Archive:

November 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    16 Files
  • 2
    Nov 2nd
    17 Files
  • 3
    Nov 3rd
    17 Files
  • 4
    Nov 4th
    11 Files
  • 5
    Nov 5th
    0 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    3 Files
  • 8
    Nov 8th
    59 Files
  • 9
    Nov 9th
    12 Files
  • 10
    Nov 10th
    6 Files
  • 11
    Nov 11th
    11 Files
  • 12
    Nov 12th
    1 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    9 Files
  • 15
    Nov 15th
    33 Files
  • 16
    Nov 16th
    53 Files
  • 17
    Nov 17th
    11 Files
  • 18
    Nov 18th
    14 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    26 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    10 Files
  • 24
    Nov 24th
    9 Files
  • 25
    Nov 25th
    11 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    20 Files
  • 29
    Nov 29th
    9 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close