CGIc-DoS.txt

` CGIc Library is vulnerable to a buffer overflow attack  
  
CGIc, an ANSI C-language library for creating CGI based World Wide Web applications, is  
vulnerable to a buffer overflow which may be used by a malicious user to gain root access.  
  
Thomas Boutell's CGIc library (version 1.05) can be attacked using a buffer overflow in the  
cgiFormEntryString() function.  
  
The fault is due to the function cgiFormEntryString() checking whether 'len = avail' before  
examining each input character, but not when the character is different than CR or LF. In this  
case 'len' is not checked after outputting the LFs but before outputting the character. (i.e. It  
checks that there is 1 byte free in the buffer, but then it can place 2 bytes in the buffer before  
checking again.)  
  
As an example, the cgictest program can be caused to segmentation fault by using the  
following request as its parameters:  
  
$ REQUEST_METHOD=GET QUERY_STRING='address=<240 x letter 'A'>%0A<1000 x  
letter 'A'>' ./cgictest  
  
The result would be:  
  
Content-type: text/html  
  
<HTML><HEAD>  
<TITLE>cgic test</TITLE></HEAD>  
<BODY><H1>cgic test</H1>  
Name: <BR>  
Address: <PRE>  
<lots of letter A's>  
Segmentation fault (core dumped)  
  
The vulnerability was found by: Jon Ribbens - [email protected]  
  
  
Boutell's CGIc's home page can be found at: http://www.boutell.com/cgic/.   
Boutell's home page can be found at: http://www.boutell.com/.   
  
--------------------------------------------------------------------------------------------------------  
  
Date: Tue, 23 Feb 1999 12:18:18 +0100  
From: Frank Tegtmeyer <[email protected]>  
To: [email protected]  
Subject: Re: Buffer overflow in www.boutell.com cgic library  
  
Jon Ribbens wrote:  
> Thomas Boutell's cgic library (version 1.05) has a buffer overflow in  
> cgiFormEntryString() which is almost certainly exploitable. (Although  
> it obviously depends on the program that has linked with cgic.)  
  
Seems to be solved. From Thomas Boutells site  
(http://www.boutell.com/cgic/#whatsnew106)  
  
What's new in version 1.06?  
  
1. A potentially significant buffer overflow problem has been corrected.  
Jon Ribbens correctly pointed out to me (and to the Internet's bugtraq  
mailing list) that the cgiFormEntryString function, which is used  
directly or indirectly by almost all CGIC programs, can potentially  
write past the buffer passed to it by the programmer. This bug has been  
corrected. Upgrading to version 1.06 is strongly recommended.  
2. The function cgiSaferSystem() has been removed entirely. This function  
escaped only a few metacharacters, while most shells have many, and  
there was no way to account for the many different operating system  
shells that might be in use on different operating systems. Since this  
led to a false sense of security, the function has been removed. It is  
our recommendation that user input should never be passed directly on  
the command line unless it has been carefully shown to contain only  
characters regarded as safe and appropriate by the programmer. Even  
then, it is better to design your utilities to accept their input from  
standard input rather than the command line.  
  
Regards, Frank  
  
`