<<< Date Index >>>     <<< Thread Index >>>

Issues In CGINews and CGIForum




Vendor  : Markus Triska
URL     : http://triskam.virtualave.net/cginews.html
Version : 1.07 And Possible Earlier & CGIForum 1.09
Risk    : Weak Encryption & Info Disclosure


Description:
CGINews is a multi-user Web site news posting system written in Perl. 
Main features include: adding, updating, and deleting news entries, 
multi-user functionality, sections, access levels, logs, 
highly-configurable layout, file upload, binary attachments and more.


Weak Password Encryption:
The CGI News program does not use DES, MD5 or any other one way crypt
algorithm. It instead uses a weak, decryptable method. Below is a script
that can easily decrypt the passwords found in the programs *.pwl files.
This issue is also present in CGIForum 1.09 by Markus Triska and can be 
used to decode CGIForum password files as well.

http://www.gulftech.org/vuln/cnc.txt



Information Disclosure Vulnerability:
By default the users log files are viewable. username/username.log The only
files not viewable by default are the .pwl files

Sat Dec 13 21:06:37 2003: jeiar changed password.
Sat Dec 13 21:10:21 2003: jeiar changed E-Mail/Syntax: test@blah/jeiar.
Sat Dec 13 21:10:54 2003: jeiar tried to change password.
Sat Dec 13 21:13:59 2003: jeiar uploaded file: C:\cmd.exe
Sat Dec 13 21:31:38 2003: jeiar uploaded file: C:\cnc.pl


Solution:
You can add your own DES or MD5 encryption if you are familiar with PERL, and to
solve the logfile problem simply add a .htaccess file that makes the directory
not viewable. For example

AuthType Basic
AuthName "No access"
AuthUserFile .htnopasswd
AuthGroupFile /dev/null
Require valid-user

The author plans on including this type of .htaccess file in future versions, 
but 
does not have any plans on changing or strengthening the encryption method.

Credits:
Credits go to JeiAr of the GulfTech Security Research Team. 
http://www.gulftech.org