rnnguest12.txt

` RNN's Guestbook 1.2 Multiple Vulnerabilies Discovered by  
Chris Rahm (aka: BrainRawt) (brainrawt at haxworx.com)  
  
  
Vulnerabilities: Remote Command Execution  
Administrative Access  
Information Disclosure (Reading of Files)  
Arbitrary HTML Insertion/Script Injection  
Plain Text Administrative Password  
  
Remote: Yes  
Local: Yes  
Risk: High  
  
Vulnerable: Guestbook 1.2  
  
  
About Guestbook  
---------------  
Guestbook is an easily customizable CGI script that allows  
visitors to post messages for others to read.  
  
Guestbook 1.2 can be downloaded at the following address.  
  
http://www.cbvfd.com/rnn/scripts/guestbook.htm  
  
  
Vendor Contact  
--------------  
10-11-03 - Sent an email to webmaster at cbvfd.com   
"ATT: Mike Reed (author)"  
(No Reply)  
  
10-12-03 - Sent an email to Mike Reed at mike at cbvfd.com  
(No Reply)  
  
10-16-03 - Sent another email to mike at cbvfd.com  
(No Reply)  
  
10-19-03 - Sent email to (Mike's other email)   
zmlr15 at imail.etsu.edu.  
(Failed Recipient)  
  
10-20-03 - Posted a msg on the cbvfd.com msgboard.  
(No Response Yet)  
  
10-20-03 - Called Mike via phone.   
(No Answer)  
  
10-25-03 - Sent an email to another one of Mike's addresses.  
reed2323 at cbvfd.com  
  
10-26-03 - Recieved an email from Mike and replied with a  
a copy of this advisory.  
  
11-26-03 - No word from author since he had received a copy   
of this advisory. Releasing information to bugtraq.  
  
Administrative Access Vulnerabilities  
-------------------------------------  
If an attacker was to visit ~/gbadmin.cgi, he/she would be   
prompted for a password. But if that same attacker was to   
go directly to the QUERY_STRING and fill in the values for   
"action", he/she could have total control over the guestbook   
without the need of any authentication.  
  
EXAMPLES:  
  
1. ~/gbadmin.cgi?action=change_adminpass - Change password   
  
2. ~/gbadmin.cgi?action=delete_guests - Delete ALL posts on the guestbook.  
  
3. ~/gbadmin.cgi?action=setup - Change setup information for guestbook.  
  
4. ~/gbadmin.cgi?action=colors - Modify the look and feel of the guestbook  
  
5. ~/gbadmin.cgi?action=change_automail - Change emailing information  
  
  
Information Disclosure Vulnerability (Reading of Files)  
-------------------------------------------------------  
By taking advantage of the Administrative Access Vulnerabilites, an  
attacker could visit ~/gbadmin.cgi?action=setup and change the  
"guestbook entry file" path to point towards any file (EX: /etc/passwd)  
on the system readable by the account inwhich the httpd is running.   
After making this change, the attacker would view guestbook.cgi not   
to read POSTs, but to read the contents of the file above.  
  
  
Remote Command Execution  
------------------------  
Also by taking advantage of the Administrative Access Vulnerability,  
instead of an attacker changing the guestbook entry file path to   
something such as /etc/password to read that files contents, an  
attacker can insert /path/file;<cmd> <args>| resulting in the  
execution of the cmd at the end of /path/file.  
  
EXAMPLE: /etc/passwd;touch /tmp/hacked|  
  
  
Arbitrary HTML Insertion / Script Injection Vulnerabilities  
-----------------------------------------------------------  
Due to improper filtering, all the scalars below allow the insertion   
of HTML tags, making guestbook.cgi vulnerable to script injection.  
  
Even though the gbadmin.cgi offers the option to not allow HTML tags   
in the $comment field, HTML tags are still accepted.  
  
sub process_input {  
# process variables  
$name = "$in{'name'}";  
$email = "$in{'email'}";  
$refer = "$in{'refer'}";  
$msn = "$in{'msn'}";  
$aol = "$in{'aol'}";  
$guest_site = "$in{'guest_site'}";  
$comment = "$in{'comment'}";  
$ip = "$in{'ip'}";  
&validate_input;  
  
  
Plain Text Administrative Password  
----------------------------------  
The administrative password can be found in the gbpass.pl file  
also found in the same directory as the rest of the guestbook.  
Combine the permissions recommended by the author in "readme.txt"  
and the plain text password, any "local" users can view the plain  
text password found in gbpass.pl.  
  
  
------------------------------------------------------  
`