cached_feed.cgi.txt

`-----------------------------------------------------------  
Arbitrary File Disclosure in Moreover.com's Cached_Feed.cgi  
  
Application: cached_feed.cgi  
Vendor: Moreover.com  
Version: 1.0, Last Updated 4.July.00  
  
Note, the version is implied. They never actually put a version  
number in the file, just a "last updated" date.  
  
Vendor Status: Notified, although they fixed it prior to my notification  
to them.  
  
Fix: Download new version 2.0.  
http://w.moreover.com/dev/cache/  
  
Synopsis:  
*yawn* Yet another CGI that lacks sufficient (or in this case -any-)  
input validation, leading to the exposure of readable files on the  
system.  
  
Description:  
The cached_feed CGI supplied by Moreover.com is used to retrieve news  
headlines from the Moreover.com site, and then store them for retrieval  
and display within your own local web site. The program accepts two  
arguments on the QUERY_STRING; The news category to retrieve, and the  
format the headlines should be returned in. The two arguments are supplied  
to the CGI using a raw query string in the form 'category+format' which  
in turn becomes $ARGV:  
  
$category = @ARGV[0];  
$format = @ARGV[1];  
  
These two lines comprise the bulk of the data validation performed by the  
CGI. Here's the flaw in the source:  
  
# Constants  
$base_dir = ".";  
$cache_dir = "$base_dir/cached_newsfeeds";  
$cache_file = "$cache_dir/".$category.".".$format;  
  
And a little later on...  
  
if ($age < $cache_time)  
{  
$feed = &obtain_file($cache_file);  
}  
  
The 'obtain_file' function reads the file specified and returns it's  
contents. The CGI wraps up by printing the contents of the file back to  
the browser. '$cache_time' defaults to 15 minutes. This limits the  
functionality of the exploit a bit as the targeted file needs to have been  
created or modified in the last 15 minutes.  
  
So, if your password file has been modified within the last 15 minutes,  
the obvious exploit for this flaw will allow an intruder to retrieve the  
file. The file will also be retrieved if the CGI is unable to contact the  
Moreover server or if the Moreover server takes longer than 30 seconds to  
respond. A crafty intruder could potentially induce such a delay using a  
ping flood against the victim host.  
  
Obvious Exploit:  
http://victim/cgi-bin/cached_feed.cgi?../../../.+/etc/passwd  
  
Vendor Status:  
I first started playing with the CGI on Sept 5th. During my testing I  
accidently tipped off Moreover by not immediately disabling the headline  
retrieval function while I was testing. This means that Moreover's server  
valiantly attempted to handle a few requests containing '/etc/passwd'  
attempts. (I was trying to yank the password file off my own server, not  
Moreovers) Apparently someone at Moreover was actually paying attention,  
because on Sept 10th, they issued an updated verion of the CGI containing  
the following change notes:  
  
# Version 2  
# ---------  
# In this version:  
<snip>  
# o Potential security hole fixed  
  
Their fixes included exiting if unable to contact the Moreover server to  
retrieve the headlines, as well as munging the requested cache file to  
prevent directory traversal. (It still doesn't really validate - just  
munges. *sigh*)  
  
CDI  
____________________________________  
The Web Master's Net  
http://www.thewebmasters.net/  
"We're sysadmins. We do remember. We don't forgive."  
-- Mike Andrews in the Monastery  
  
`