Issues In CGINews and CGIForum
Vendor : Markus Triska
URL : http://triskam.virtualave.net/cginews.html
Version : 1.07 And Possible Earlier & CGIForum 1.09
Risk : Weak Encryption & Info Disclosure
Description:
CGINews is a multi-user Web site news posting system written in Perl.
Main features include: adding, updating, and deleting news entries,
multi-user functionality, sections, access levels, logs,
highly-configurable layout, file upload, binary attachments and more.
Weak Password Encryption:
The CGI News program does not use DES, MD5 or any other one way crypt
algorithm. It instead uses a weak, decryptable method. Below is a script
that can easily decrypt the passwords found in the programs *.pwl files.
This issue is also present in CGIForum 1.09 by Markus Triska and can be
used to decode CGIForum password files as well.
http://www.gulftech.org/vuln/cnc.txt
Information Disclosure Vulnerability:
By default the users log files are viewable. username/username.log The only
files not viewable by default are the .pwl files
Sat Dec 13 21:06:37 2003: jeiar changed password.
Sat Dec 13 21:10:21 2003: jeiar changed E-Mail/Syntax: test@blah/jeiar.
Sat Dec 13 21:10:54 2003: jeiar tried to change password.
Sat Dec 13 21:13:59 2003: jeiar uploaded file: C:\cmd.exe
Sat Dec 13 21:31:38 2003: jeiar uploaded file: C:\cnc.pl
Solution:
You can add your own DES or MD5 encryption if you are familiar with PERL, and to
solve the logfile problem simply add a .htaccess file that makes the directory
not viewable. For example
AuthType Basic
AuthName "No access"
AuthUserFile .htnopasswd
AuthGroupFile /dev/null
Require valid-user
The author plans on including this type of .htaccess file in future versions,
but
does not have any plans on changing or strengthening the encryption method.
Credits:
Credits go to JeiAr of the GulfTech Security Research Team.
http://www.gulftech.org