Linux.com Article DB: w3-msql 2.0.11 may run arbritrary code for outsiders

from BugTraq

hi,

i have just installed the evaluation version of the last w3-msql release (2.0.11) with its new security mechanism. There is effectively this new option "Force_Suffix" in msql.conf that force msql server to take its documents inside its private root instead of server's one.

The cgi is actually still vulnerable because of numerous lacks in sources (take a look at storeArgs() in w3-msql.c). It's possible with a buffer overflow attack to gain web server priviledge and modify remotly server content.

test it:

www.victim.com is the target site.

http://www.victim.com/cgi-bin/w3-msql/AAAAAAAAA.......AAAAA

with about a 200 chars length filename, the server response is "Internal Server Error" and the cgi produce a core file. With a carrefully forged string including code instructions, it's possible to force remote server to execute arbitrary code.

i'm going to write an exploit.

Have a nice day

------- Gregory Duchemin - gdn@neurocom.com Security Engineer NEUROCOM http://www.neurocom.com/ 179/181 avenue Charles de Gaulle 92200 Neuilly Sur Seine Tel: 01.41.43.84.84 Fax: 01.41.43.84.80

Originally Published: Wednesday, 8 September 1999	Author: Quentin Cregan
Published to: news_enhance_security/Security News	Page: 1/1 - [Printable]
w3-msql 2.0.11 may run arbritrary code for outsiders In a post to BugTraq, it was suggested that w3-mysql is vulnerable to handing over files from the system, and potentially executing code courtesy of a buffer overflow.

	Page 1 of 1
from BugTraq hi, i have just installed the evaluation version of the last w3-msql release (2.0.11) with its new security mechanism. There is effectively this new option "Force_Suffix" in msql.conf that force msql server to take its documents inside its private root instead of server's one. The cgi is actually still vulnerable because of numerous lacks in sources (take a look at storeArgs() in w3-msql.c). It's possible with a buffer overflow attack to gain web server priviledge and modify remotly server content. test it: www.victim.com is the target site. http://www.victim.com/cgi-bin/w3-msql/AAAAAAAAA.......AAAAA with about a 200 chars length filename, the server response is "Internal Server Error" and the cgi produce a core file. With a carrefully forged string including code instructions, it's possible to force remote server to execute arbitrary code. i'm going to write an exploit. Have a nice day ------- Gregory Duchemin - gdn@neurocom.com Security Engineer NEUROCOM http://www.neurocom.com/ 179/181 avenue Charles de Gaulle 92200 Neuilly Sur Seine Tel: 01.41.43.84.84 Fax: 01.41.43.84.80
	Page 1 of 1