This one time, at band camp, Neale Pickett said:
> On line 69, param("-f") is used as a potential configuration file:
>
> for $rcfile ("/etc/blosxom/blosxom.conf", "/etc/blosxom.conf", param("-f")) {
> if (-r $rcfile) {
> open (RC, "< $rcfile") or die "Cannot open $rcfile: $!";
> while (<RC>) {
> eval("$_");
> }
> close (RC);
> }
> }
>
> This means (among other things) that a malicios user can use a URL like:
>
> http://mycomputer/cgi-bin/blosxom?-f=/home/malicioususer/exploit.pl
>
> to execute arbitrary code as whomever runs cgi scripts.
>
> I emailed the credited author of this debian-specific chunk of code, who
> said he wrote it to be used from the command-line. Indeed, when run from
> the command-line, you can use
>
> $ blosxom -f=/path/to/blosxom.conf
>
> but this is just passing URL-encoded form data on the command line and
> IMHO is an abuse of a feature in the CGI module to make testing easier.
> As debian installs blosxom into /usr/lib/cgi-bin/ it is clearly going to
> be run by many people as a CGI.
>
> In fact there are inappropriate calls to param() all over the place.
> This one just happens to introduce a security hole. I think I'll use
> pyblosxom instead. :)
>
> Sorry, no patches, perl scares me.For this to be a real bug, this means blosxom must be conflating the GET and POST options with global variables in the script. This almost certainly means it is open to several other attack vectors in the same way that php scripts are when register globals is turned on. Please say it ain't so, and please, someone who likes the package, it sounds like it might be time for an audit. -- ----------------------------------------------------------------- | ,''`. Stephen Gran | | : :' : [EMAIL PROTECTED] | | `. `' Debian user, admin, and developer | | `- http://www.debian.org | -----------------------------------------------------------------
signature.asc
Description: Digital signature
