Package: blosxom
Version: 2.0-14
Severity: grave
Tags: security
Justification: user security hole
On line 69, param("-f") is used as a potential configuration file:
for $rcfile ("/etc/blosxom/blosxom.conf", "/etc/blosxom.conf", param("-f")) {
if (-r $rcfile) {
open (RC, "< $rcfile") or die "Cannot open $rcfile: $!";
while (<RC>) {
eval("$_");
}
close (RC);
}
}
This means (among other things) that a malicios user can use a URL like:
http://mycomputer/cgi-bin/blosxom?-f=/home/malicioususer/exploit.pl
to execute arbitrary code as whomever runs cgi scripts.
I emailed the credited author of this debian-specific chunk of code, who
said he wrote it to be used from the command-line. Indeed, when run from
the command-line, you can use
$ blosxom -f=/path/to/blosxom.conf
but this is just passing URL-encoded form data on the command line and
IMHO is an abuse of a feature in the CGI module to make testing easier.
As debian installs blosxom into /usr/lib/cgi-bin/ it is clearly going to
be run by many people as a CGI.
In fact there are inappropriate calls to param() all over the place.
This one just happens to introduce a security hole. I think I'll use
pyblosxom instead. :)
Sorry, no patches, perl scares me.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (990, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.20-linode28
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages blosxom depends on:
ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy
ii perl 5.8.8-7 Larry Wall's Practical Extraction
Versions of packages blosxom recommends:
ii apache2-mpm-prefork [httpd] 2.2.3-4 Traditional model for Apache HTTPD
-- debconf information:
blosxom/breakage:
blosxom/old_cgi_file: false
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
