Bug 13689 - Security lole in example file ./site/eg/source.asp
Summary: Security lole in example file ./site/eg/source.asp
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Secure Web Server
Classification: Retired
Component: perl-Apache-ASP
Version: 3.2
Hardware: i386
OS: Linux
medium
high
Target Milestone: ---
Assignee: Preston Brown
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-07-11 02:27 UTC by joshua
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2000-07-11 02:28:00 UTC
Embargoed:


Attachments (Terms of Use)

Description joshua 2000-07-11 02:27:59 UTC
pre 1.95 Apache::ASP has a security hole it its example
./site/eg/source.asp script.  Please update Redhat with
latest source from CPAN ASAP.

=======

ANNOUNCE Apache::ASP v1.95 - Examples Security Hole Fixed

Apache::ASP < http://www.nodeworks.com/asp/ > had a security
hole in its ./site/eg/source.asp distribution examples file, 
allowing a malicious hacker to potentially write to files in 
the directory local to the source.asp example script.

The next version of Apache::ASP v1.95 going to CPAN will not
have this security hole in its example ./site/eg/source.asp
The general CHANGES for this release are below.  Note that 
CPAN may not have the 1.95 version for another 24 hours.

Until you have the latest examples, I would recommend deleting 
this source.asp file from any public web server that has 
Apache::ASP installed on it.

The original report on a similar perl open() bug was at ZDNet's eWeek
at http://www.zdnet.com/eweek/stories/general/0,11011,2600258,00.html
where a hacking contest at openhack.org turned up a bug on 
its minivend ecommerce software.

--Joshua Chamas

=item $VERSION = 1.95; $DATE="07/10/00";

 !!!!! EXAMPLES SECURITY BUG FOUND & FIXED !!!!!

 --FIXED: distribution example ./site/eg/source.asp now parses 
  out special characters of the open() call when reading local 
  files.

  This bug would allow a malicious user possible writing
  of files in the same directory as the source.asp script.  This
  writing exploit would only have effect if the web server user
  has write permission on those files.

  Similar bug announced by openhack.org for minivend software
  in story at: 
    http://www.zdnet.com/eweek/stories/general/0,11011,2600258,00.html

  !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

 -$0 now set to transferred file, when using $Server->Transfer

 -Fix for XMLSubsMatch parsing on cases with 2 or more args passed
  to tag sub that was standalone like 
    <Apps:header type="header" title="Moo" foo="moo" />

Comment 1 Nalin Dahyabhai 2000-07-12 18:54:16 UTC
Not really a problem.  The indicated file is installed under /usr/doc,
now writable by the nobody user.

Comment 2 Nalin Dahyabhai 2000-07-12 18:54:38 UTC
Uh, NOT writable, not "now".


Note You need to log in before you can comment on or make changes to this bug.