|
| GNATS > GNATSWEB SECURITY ADVISORY JUN 26 2001 |
In Gnatsweb 2.7 beta, a new help system was introduced. The standard help text was provided in a separate file named 'gnatsweb.html'. For some reason it was decided to allow the name of the help file to be customized, and it was possible to specify this filename by providing a value to the help_file parameter in a request URL. If a URL such as
http://www.whatever.whatever/cgi-bin/gnatsweb.pl?cmd=help&help_file=somefile.html
was used to access Gnatsweb, the file somefile.html would be served up as help text instead. The problem was that the value of this parameter was never checked before it was used in an OPEN statement.
By judicious use of special characters in the value of the help_file parameter, an attacker would be able to read the contents of any file or execute any command to which the web server process user had access.
Download and apply the patch for your version of Gnatsweb: 2.7 beta, 2.8.0, 2.8.1. This fix hardcodes the name 'gnatsweb.html' for the help file and makes a slight modification to the way the file is opened.
Gnatsweb 3.95 is part of the yet-to-be-released GNATS 4 distribution. Versions checked out of the CVS repository on sources.redhat.com prior to Jun 26 2001 12:15 PDT contain this bug. Users running such versions should check out a new version.
A new version of Gnatsweb incorporating this fix, numbered 2.8.2, is available from the FTP site on sources.redhat.com and from ftp.gnu.org and its mirrors.
| GNATS > GNATSWEB SECURITY ADVISORY JUN 26 2001 |