Package: blosxom
Version: 2.0.2-0~njl.1
Followup-For: Bug #423441
Tags: patch
I regret to confirm that the security hole exists. An attacker
can remotely invoke a Perl script anywhere on the system. The only
limitation is that it must be written without line breaks in the middle
of any statement, since it is eval'd line by line.
You can verify this by writing a simple "hello world" script and invoking
it: GET http://testblog.local/blosxom?-f=/usr/local/bin/helloworld
I've checked the other uses of param() in the script and I believe
they're safe. Not in any way elegant, but safe as far as my limited
understanding of CGI goes.
* The checks for param(-password) are preceded by a check for
!$ENV{GATEWAY_INTERFACE} so will not be invoked in a CGI environment,
only from the command line as intended.
* The uses of param(-quiet) are only invoked if the param(-password)
check succeeded, so will not be invoked in a CGI environment, only
from the command line as intended.
* The uses of param(path) and param(flav) are intended for CGI use,
these implement the older Blosxom invovation styles e.g. ?flav=html
The tricky one is the param(-all) call in the middle of the default
$entries sub. This is involved in the static re-rendering. It is not
directly protected from remote invocation. However, param(-all) is used
to build %indexes, and %indexes is not used unless the param(-password)
check succeeds. So as far as I can see and test, this awful bit of
hackery is safe.
I don't know if there are any CGI interpreters that don't set
$ENV{GATEWAY_INTERFACE} but even if there are the risk is low. The only
extra vuln would be that someone guessing the right password could cause
static pages (if any) to be re-rendered prematurely.
I'm attaching a patch for the -f problem. I've tested this and
confirmed that it prevents the remote exploit without breaking the other
command-line flags.
The patch requires Getopt::Long but that is part of base Perl in 5.8 so
there is no new dependency for Etch. If you want to backport this to
Sarge you'll need to check, I can't remember about Perl 5.6.
Nick
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (600, 'stable'), (500, 'oldstable'), (3, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-k7
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Versions of packages blosxom depends on:
ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy
ii perl 5.8.8-7 Larry Wall's Practical Extraction
Versions of packages blosxom recommends:
ii apache2-mpm-prefork [httpd] 2.2.3-4 Traditional model for Apache HTTPD
-- debconf information:
blosxom/breakage:
blosxom/old_cgi_file: false
--- /usr/lib/cgi-bin/blosxom.orig-2.0.2 2007-06-11 15:47:48.000000000 +0100
+++ /usr/lib/cgi-bin/blosxom 2007-06-12 14:35:24.000000000 +0100
@@ -67,7 +67,10 @@
## On Debian GNU/Linux systems, read configuration files (if found)
## Dirk Eddelbuettel <[EMAIL PROTECTED]>
-for $rcfile ("/etc/blosxom/blosxom.conf", "/etc/blosxom.conf", param("-f")) {
+$conffile = undef;
+use Getopt::Long qw(:config pass_through debug);
+GetOptions("f=s" => \$conffile);
+for $rcfile ("/etc/blosxom/blosxom.conf", "/etc/blosxom.conf", (defined $conffile ? ($conffile) : ()) ) {
if (-r $rcfile) {
open (RC, "< $rcfile") or die "Cannot open $rcfile: $!";
while (<RC>) {
