ALERT : Widespread CGI Vulnerability grants administrator status
qDefense has released an advisory concerning CGI's that notes that
they are vulnerable to a remote flat file database manipulation
vulnerability, possibly giving malicious users CGI administrator
status and, thus, read/write/execute privileges.
The problem apparently lies in a failure to validate input. According
to the qDense advisory, numerous CGI's store data, including
passwords, in a flat file database, using special characters as field
and row delimiters. Those which allow multiple users to log on, and
grant certain users privileged or administrator status, are most
likely to be exploited. qDefense recommends CGI developers ensure
their CGI's remove delimiter characters from user supplied data.
Furthermore, SQL databases should be used instead of flat file
databases...
Multiple CGI Flat File Database Manipulation Vulnerability
qDefense
Advisory Number QDAV-2001-7-1
Product: Numerous CGI's
Vendor: Numerous Vendors
Severity: Remote; Severity varies, but can often be used to attain CGI administrator status, which can
result in read/write/execute privileges.
Cause: Failure to validate input
In Short: Numerous CGI's store data, including passwords, in a flat file database, using special characters as field and row delimiters.
An attacker may be able to manipulate these databases. While many types of CGI's may be vulnerable, CGI's
which allow multiple users to log on, and grant certain users privileged or administrator status, are most likely to be exploitable.
The current version of this document is available at http://qDefense.com/Advisories/QDAV-2001-7-1.html.
Details: Many CGI's store data in a flat file database.
Note: A flat file database is a standard text file used to store database style (i.e.,
fields and rows) information. Fields are delimited by a special character, such as a pipe symbol ( | ) or a colon ( : ).
Rows are usually delimited by a newline. A common example is the Unix /etc/passwd file.
Unfortunately, data stored in this format is often susceptible to manipulation by an attacker. When the database is used to store
both user supplied data (such as e-mail address), as well as system data (such as user privileges), an attacker may be able to
manipulate the system data. By inserting a row or field delimiting character into the user supplied data, the attacker can fool the
database into thinking that the user supplied data is actually the system data of a different row or field.
This is best illustrated by an example:
A particular CGI allows multiple users to log on to a web site. It allows anyone to log on, but provides additional privileges to paying customers.
Furthermore, the webmaster may log on to modify the CGI settings. The CGI
stores the user data in a flat file database, using the pipe symbol ( | ) as a field delimiter, and a newline as a row
delimiter. The database stores the following fields: password, logon name, privilege level, first name, last name, and
e-mail address. Here is a sample file: qua53sar2|bill|admin|William|Smith|webmaster@letstalksports.com
moopus|joe|normal|Joe|Smith|joe@mailboxesrus.com
nopla|iceman|paying|Alfred|Lehoya|js124@abracadabra.com
sillypassword|hank|normal|Harold|Jenkins|hjenkins@aricdorsresearch.org
By registering with a last name containing url-encoded newlines and pipes, an
attacker can imbed a second line into his last name, which will be
recorded as an entirely new line in the password file, containing whatever
information the attacker wants. For instance, an attacker may register as
follows:
Username = dummyuser
Password = gotya
Firstname = John
Lastname = Doe
livetohack|evilhacker|admin|Evil|Hacker
Email = evil@hackerstogo.comNote: The "
" symbol indicates the newline character, ASCII value 10.
When url encoded and submitted properly, this will add two lines to the database.
The example database will now look like this:
qua53sar2|bill|admin|William|Smith|webmaster@letstalksports.com
moopus|joe|normal|Joe|Smith|joe@mailboxesrus.com
nopla|iceman|paying|Alfred|Lehoya|js124@abracadabra.com|on
sillypassword|hank|normal|Harold|Jenkins|hjenkins@aricdorsresearch.org
gotya|dummyuser|normal|John|Doe
livetohack|evilhacker|admin|Evil|Hacker|evil@hackerstogo.com
As you can see, an entry, evilhacker, has been added with full
admin status.
Solution:
Ideally, SQL databases should be used instead of flat file databases. If this is not viable, CGI developers should ensure that
their CGI's remove delimiter characters from user supplied data. A redundancy of checking for delimiters before writing to the
database is also advisable.
Note:
qDefense originally discovered this vulnerability class when auditing D.C. Forum, and issued an advisory,
DCForum Password File Manipulation Vulnerability
(qDefense Advisory Number QDAV-5-2000-2). However, further research has shown that this class of vulnerability is prevalent
among CGI's, particularly those which allow users to log on using passwords. As this form of attack represents a new method which has not (to qDefense's
knowledge) been publicized as of yet, qDefense has decided to issue a general advisory, instead of issuing specific advisories for all
of the CGI's that we have found vulnerable.
(C) 2001 qDefense Information Security Consultants. qDefense is a subsidiary of Computer
Modeling, Inc.
This document may be reproduced, in whole or in part, provided that no modifications are made and that proper credit is given.
Additionally, if it is made available through hypertext, it must be accompanied by a link to the qDefense web site,
http://qDefense.com.
