QDAV-2001-7-1

`--=====================_133743754==_.ALT  
Content-Type: text/plain; charset="us-ascii"; format=flowed  
  
  
Multiple CGI Flat File Database Manipulation Vulnerability  
qDefense Advisory Number QDAV-2001-7-1  
  
Product: Numerous CGI's  
  
Vendor: Numerous Vendors  
  
Severity: Remote; Severity varies, but can often be used to attain CGI   
administrator status, which can result in read/write/execute privileges.  
  
Cause: Failure to validate input  
  
In Short: Numerous CGI's store data, including passwords, in a flat file   
database, using special characters as field and row delimiters. An attacker   
may be able to manipulate these databases. While many types of CGI's may be   
vulnerable, CGI's which allow multiple users to log on, and grant certain   
users privileged or administrator status, are most likely to be exploitable.  
  
The current version of this document is available at   
<http://qdefense.com/Advisories/QDAV-2001-7-1.html>http://qDefense.com/Advisories/QDAV-2001-7-1.<http://qdefense.com/Advisories/QDAV-2001-7-1.html>html.  
  
Details: Many CGI's store data in a flat file database.  
  
Note: A flat file database is a standard text file used to store database   
style (i.e., fields and rows) information. Fields are delimited by a   
special character, such as a pipe symbol ( | ) or a colon ( : ). Rows are   
usually delimited by a newline. A common example is the Unix /etc/passwd file.  
  
Unfortunately, data stored in this format is often susceptible to   
manipulation by an attacker. When the database is used to store both user   
supplied data (such as e-mail address), as well as system data (such as   
user privileges), an attacker may be able to manipulate the system data. By   
inserting a row or field delimiting character into the user supplied data,   
the attacker can fool the database into thinking that the user supplied   
data is actually the system data of a different row or field.  
  
This is best illustrated by an example:  
  
A particular CGI allows multiple users to log on to a web site. It allows   
anyone to log on, but provides additional privileges to paying customers.   
Furthermore, the webmaster may log on to modify the CGI settings. The CGI   
stores the user data in a flat file database, using the pipe symbol ( | )   
as a field delimiter, and a newline as a row delimiter. The database stores   
the following fields: password, logon name, privilege level, first name,   
last name, and e-mail address. Here is a sample file:  
  
qua53sar2|bill|admin|William|Smith|[email protected]   
moopus|joe|normal|Joe|Smith|[email protected]  
nopla|iceman|paying|Alfred|Lehoya|[email protected]   
sillypassword|hank|normal|Harold|Jenkins|[email protected]  
  
By registering with a last name containing url-encoded newlines and pipes,   
an attacker can imbed a second line into his last name, which will be   
recorded as an entirely new line in the password file, containing whatever   
information the attacker wants. For instance, an attacker may register as   
follows:  
  
Username = dummyuser  
Password = gotya  
Firstname = John  
Lastname = Doe\nlivetohack|evilhacker|admin|Evil|Hacker  
Email = [email protected]  
  
Note: The "\n" symbol indicates the newline character, ASCII value 10.  
  
When url encoded and submitted properly, this will add two lines to the   
database. The example database will now look like this:  
  
qua53sar2|bill|admin|William|Smith|[email protected]   
moopus|joe|normal|Joe|Smith|[email protected]   
nopla|iceman|paying|Alfred|Lehoya|[email protected]|on   
sillypassword|hank|normal|Harold|Jenkins|[email protected]   
gotya|dummyuser|normal|John|Doe   
livetohack|evilhacker|admin|Evil|Hacker|[email protected]  
  
As you can see, an entry, evilhacker, has been added with full admin status.  
  
Solution:  
  
Ideally, SQL databases should be used instead of flat file databases. If   
this is not viable, CGI developers should ensure that their CGI's remove   
delimiter characters from user supplied data. A redundancy of checking for   
delimiters before writing to the database is also advisable.  
  
Note:  
  
qDefense originally discovered this vulnerability class when auditing D.C.   
Forum, and issued an advisory,   
<http://qDefense.com/Advisories/QDAV-5-2000-2.html>DCForum Password File   
Manipulation Vulnerability (qDefense Advisory Number   
QDAV<http://qDefense.com/Advisories/QDAV-5-2000-2.html>-5-2000-2). However,   
further research has shown that this class of vulnerability is prevalent   
among CGI's, particularly those which allow users to log on using   
passwords. As this form of attack represents a new method which has not (to   
qDefense's knowledge) been publicized as of yet, qDefense has decided to   
issue a general advisory, instead of issuing specific advisories for all of   
the CGI's that we have found vulnerable.  
  
(C) 2001 <http://qDefense.com>qDefense<http://qDefense.com> Information   
Security Consultants. qDefense is a subsidiary of Computer Modeling, Inc.  
  
This document may be reproduced, in whole or in part, provided that no   
modifications are made and that proper credit is given. Additionally, if it   
is made available through hypertext, it must be accompanied by a link to   
the qDefense web site,   
<http://qDefense.com>http://qDefense.<http://qDefense.com>com.  
  
qDefense Advisories  
[email protected]  
qDefense - DEFENDING THE ELECTRONIC FRONTIER  
  
qDefense offers a wide variety of security services  
See http://qDefense.com/Services  
--=====================_133743754==_.ALT  
Content-Type: text/html; charset="us-ascii"  
  
<html>  
<font face="arial" size=4><b><br>  
<div align="center">  
Multiple CGI Flat File Database Manipulation Vulnerability <br>  
</font>qDefense Advisory Number QDAV-2001-7-1<br>  
<br>  
</div>  
Product:</b> Numerous CGI's<br>  
<br>  
<b>Vendor:</b> Numerous Vendors<br>  
<br>  
<b>Severity:</b> Remote; Severity varies, but can often be used to attain  
CGI administrator status, which can result in read/write/execute  
privileges.<br>  
<br>  
<b>Cause: </b>Failure to validate input<br>  
<br>  
<b>In Short: </b>Numerous CGI's store data, including passwords, in a  
flat file database, using special characters as field and row delimiters.  
An attacker may be able to manipulate these databases. While many types  
of CGI's may be vulnerable, CGI's which allow multiple users to log on,  
and grant certain users privileged or administrator status, are most  
likely to be exploitable. <br>  
<br>  
<div align="center">  
The current version of this document is available at  
<a href="http://qdefense.com/Advisories/QDAV-2001-7-1.html">http</a>://qDefense.com/Advisories/QDAV-2001-7-1.<a href="http://qdefense.com/Advisories/QDAV-2001-7-1.html">html</a>.<br>  
<br>  
</div>  
<b>Details: </b><font size=2>Many CGI's store data in a flat file  
database. <br>  
<br>  
</font><font size=1><i>Note:</i> A <i>flat file database</i> is a  
standard text file used to store database style (i.e., fields and rows)  
information. Fields are delimited by a special character, such as a pipe  
symbol (</font><tt> | </tt><font size=1>) or a colon (</font><tt> :  
</tt><font size=1>). Rows are usually delimited by a newline. A common  
example is the Unix </font><tt>/etc/passwd</tt><font size=1> file.<br>  
<br>  
</font><font size=2>Unfortunately, data stored in this format is often  
susceptible to manipulation by an attacker. When the database is used to  
store both user supplied data (such as e-mail address), as well as system  
data (such as user privileges), an attacker may be able to manipulate the  
system data. By inserting a row or field delimiting character into the  
user supplied data, the attacker can fool the database into thinking that  
the user supplied data is actually the system data of a different row or  
field.<br>  
<br>  
This is best illustrated by an example:<br>  
<br>  
A particular CGI allows multiple users to log on to a web site. It allows  
anyone to log on, but provides additional privileges to paying customers.  
Furthermore, the webmaster may log on to modify the CGI settings. The CGI  
stores the user data in a flat file database, using the pipe symbol  
(</font><tt> | </tt><font size=2>) as a field delimiter, and a newline as  
a row delimiter. The database stores the following fields: password,  
logon name, privilege level, first name, last name, and e-mail address.  
Here is a sample file:<br>  
<br>  
</font><tt>qua53sar2|bill|admin|William|Smith|[email protected]  
moopus|joe|normal|Joe|Smith|[email protected]<br>  
nopla|iceman|paying|Alfred|Lehoya|[email protected]  
sillypassword|hank|normal|Harold|Jenkins|[email protected]  
<br>  
<br>  
</tt><font size=2>By registering with a last name containing url-encoded  
newlines and pipes, an attacker can imbed a <b>second line</b> into his  
last name, which will be recorded as an entirely new line in the password  
file, containing whatever information the attacker wants. For instance,  
an attacker may register as follows:<br>  
<br>  
</font><tt>Username = dummyuser<br>  
Password = gotya<br>  
Firstname = John<br>  
Lastname = Doe\nlivetohack|evilhacker|admin|Evil|Hacker<br>  
Email = [email protected]<br>  
<br>  
</tt><font size=1><i>Note: The "\n" symbol indicates the  
newline character, ASCII value 10.</i></font><font size=2> <br>  
<br>  
When url encoded and submitted properly, this will add <b>two</b> lines  
to the database. The example database will now look like this: <br>  
<br>  
</font><tt>qua53sar2|bill|admin|William|Smith|[email protected]  
moopus|joe|normal|Joe|Smith|[email protected]  
nopla|iceman|paying|Alfred|Lehoya|[email protected]|on  
sillypassword|hank|normal|Harold|Jenkins|[email protected]  
gotya|dummyuser|normal|John|Doe  
livetohack|evilhacker|admin|Evil|Hacker|[email protected]<br>  
<br>  
</tt><font size=2>As you can see, an entry,  
</font><tt>evilhacker</tt><font size=2>, has been added with full admin  
status. <br>  
<br>  
<b>Solution: <br>  
<br>  
</b>Ideally, SQL databases should be used instead of flat file databases.  
If this is not viable, CGI developers should ensure that their CGI's  
remove delimiter characters from user supplied data. A redundancy of  
checking for delimiters before writing to the database is also advisable.  
<br>  
<br>  
<b>Note:<br>  
<br>  
</b>qDefense originally discovered this vulnerability class when auditing  
D.C. Forum, and issued an advisory,  
<a href="http://qDefense.com/Advisories/QDAV-5-2000-2.html">DCForum</a>  
Password File Manipulation Vulnerability (qDefense Advisory Number QDAV<a href="http://qDefense.com/Advisories/QDAV-5-2000-2.html">-5-2000-2)</a>. However, further research has shown that this class of vulnerability is prevalent among CGI's, particularly those which allow users to log on using passwords. As this form of attack represents a new method which has not (to qDefense's knowledge) been publicized as of yet, qDefense has decided to issue a general advisory, instead of issuing specific advisories for all of the CGI's that we have found vulnerable. <br>  
<br>  
</font><div align="center">  
<font size=1>(C) 2001 <a href="http://qDefense.com">qDefense</a><a href="http://qDefense.com"> Information Security Consultants</a>. qDefense is a subsidiary of Computer Modeling, Inc. <br>  
<br>  
This document may be reproduced, in whole or in part, provided that no modifications are made and that proper credit is given. Additionally, if it is made available through hypertext, it must be accompanied by a link to the qDefense web site, <a href="http://qDefense.com">http</a>://qDefense.<a href="http://qDefense.com">com</a>. <br>  
</font></div>  
<br>  
  
qDefense Advisories<br>  
[email protected]<br>  
qDefense - DEFENDING THE ELECTRONIC FRONTIER<br>  
<br>  
<font size=1>qDefense offers a wide variety of security services<br>  
See <a href="http://qdefense.com/Services" eudora="autourl">http://qDefense.com/Services</a></font></html>  
  
--=====================_133743754==_.ALT--  
  
`