-----BEGIN PGP SIGNED MESSAGE-----


===========================================================================
              AUSCERT External Security Bulletin Redistribution

          ESB-97.052 -- VB-97.02 - Vulnerability in all versions of
		        Selena Sol's Guestbook

                              28 April 1997

===========================================================================

CERT/CC has released the following bulletin initiated by Selena Sol
concerning a vulnerability in all versions of Selena Sol's Guestbook.
This vulnerability may allow remote users to execute arbitrary commands
on the web server as the uid of the httpd daemon.

The following security bulletin is provided as a service to AUSCERT's
members.  As AUSCERT did not write this document, AUSCERT has had no
control over its content.  As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.

Contact information for Selena Sol is included in the Security Bulletin
below.  If you have any questions or need further information, please
contact them directly.

If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 4477
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
	AUSCERT personnel answer during Queensland business hours
	which are GMT+10:00 (AEST).
	On call after hours for emergencies.


- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
CERT* Vendor-Initiated Bulletin VB-97.02
April 24, 1997

Topic:  Security Hole in Guestbook Script for Web Servers Using SSI
Source: Selena Sol

To aid in the wide distribution of essential security information, the
CERT Coordination Center is forwarding the following information from
Selena Sol, who urges you to act on this information as soon as
possible. Contact information is included in the forwarded text below; please
contact Selena Sol if you have any questions or need further information.

=======================FORWARDED TEXT STARTS HERE============================

Problem: Vulnerability in all versions of Selena Sol's Guestbook

I. Description

Guestbook applications allow a person browsing a web site to "sign" an
electronic guestbook and leave an appropriate message. A guestbook CGI script
is freely available by Selena Sol at the following URL:

        http://www.eff.org/~erict/Scripts/guestbook.html

All versions of this program have a vulnerability that under certain
conditions allows a remote user to execute arbitrary commands on the server
as the user id of the httpd daemon. These conditions are:

        - the server allow Server Side Includes (SSI) on the directory in
                which the guestbook is located, and,

        - the guestbook application allows the remote user to write HTML
                tags into the Comment field of the guestbook, and,

        - the guestbook application does not filter appropriate HTML tags.


II. Impact

Remote users may be able to execute arbitrary commands on the web server as
the uid of the httpd daemon.


III. Solution

Sites using this application should either update their guestbook to the
current version or implement the following steps as appropriate to the 
version they are using. Note that this may mean changing default values within
the application.

(a) Disable SSI on the directory in which the guestbook application writes
    its data. See your WWW server documentation for details.

(b) Filter HTML tags that can be used to process arbitrary local data:

        $ diff -c guestbook.cgi.old guestbook.cgi
        *** guestbook.cgi.old   Mon Apr 21 15:52:39 1997
        --- guestbook.cgi       Mon Apr 21 16:07:45 1997
        ***************
        *** 88,108 ****
  
             @form_variables = keys (%form_data);
  
   ! # For every variable sent to us from the form, and for each word in our 
   ! # list of bad words, replace (=~ s/) any occurrence, case insensitively
   ! # (/gi) of the bad word ($word) with the word censored.  
   ! # $form_data{$variable} should be equal to what the client filled in in 
   ! # the input boxes...
     #
   ! # Further, if the admin has set allow_html to 0, (!= 1) it means that she 
   ! # does not want the users to be able to use HTML tags...so, delete them.
  
             foreach $variable (@form_variables)
               {
               foreach $word (@bad_words)
                 {
                 $form_data{$variable} =~ s/$word/censored/gi;
                 }
               if ($allow_html != "yes") 
                 {
                 $form_data{$variable} =~ s/<([^>]|
)*>//g;
        --- 88,121 ----
  
             @form_variables = keys (%form_data);
  
   ! # For every variable sent to us from the form, filter HTML tags 
   ! # that we do not allow regardless of configuration.
     #
   ! # Also, for each word in our list of bad words, replace (=~ s/) 
   ! # any occurrence, case insensitively (/gi) of the bad word ($word) 
   ! # with the word censored.  $form_data{$variable} should be equal 
   ! # to what the client filled in in the input boxes...
   ! #
   ! # Further, if the admin has set allow_html to 0, (!= 1) it means 
   ! # that she does not want the users to be able to use HTML tags...so, 
   ! # delete them.
          
             foreach $variable (@form_variables)
               {
        + 
        +      # Strip non-negotiable HTML.
        +      # Un-Webify plus signs and %-encoding
        +      $form_data{$variable} =~ tr/+/ /;
        +      $form_data{$variable} =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
        +      $form_data{$variable} =~ $value =~ s/<!--(.|
)*-->//g;
        + 
        +      # Replace bad words.
               foreach $word (@bad_words)
                 {
                 $form_data{$variable} =~ s/$word/censored/gi;
                 }
        + 
        +      # Strip ALL HTML if configured this way.
               if ($allow_html != "yes") 
                 {
                 $form_data{$variable} =~ s/<([^>]|
)*>//g;


(c) If you do not wish to allow guests to leave HTML tags at all, disable
    the use of HTML tags in the guestbook by setting appropriate configuration
    variables. You can do this by changing the following line in 
    guestbook.setup:

        $ diff -c guestbook.setup.old guestbook.setup    
        *** guestbook.setup.old Wed Aug 14 16:28:13 1996
        --- guestbook.setup     Mon Apr 21 15:51:20 1997
        ***************
        *** 16,22 ****
  
            $remote_mail = "yes";
  
        !   $allow_html = yes;
  
            @required_fields = ("realname", "comments");
  
        --- 16,22 ----
  
            $remote_mail = "yes";
  
        !   $allow_html = no;
  
            @required_fields = ("realname", "comments");



For more information, contact Selena Sol at selena@eff.org

========================FORWARDED TEXT ENDS HERE=============================

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (FIRST). See http://www.first.org/team-info/.  

We strongly urge you to encrypt any sensitive information you send by email.
The CERT Coordination Center can support a shared DES key and PGP. Contact 
the CERT staff for more information.

Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key


CERT Contact Information
- - ------------------------
Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

CERT publications, information about FIRST representatives, and other
security-related information are available from
        http://www.cert.org/
        ftp://info.cert.org/pub/

CERT advisories and bulletins are also posted on the USENET newsgroup
        comp.security.announce

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        cert-advisory-request@cert.org
In the subject line, type 
        SUBSCRIBE  your-email-address 



* Registered U.S. Patent and Trademark Office.

The CERT Coordination Center is part of the Software Engineering
Institute (SEI). The SEI is sponsored by the U. S. Department of Defense.


This file: ftp://info.cert.org/pub/cert_bulletins/VB-97.02.sol_guestbook



- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBM1+00XVP+x0t4w7BAQGLVAP/U/yiJ5LLMQ2emOvK2DX81eDkAZ3hYh8A
WRgC/zM4L48KOf+yWjBRF9C76wI20Jm3gdP3YfcX4uyklo+xMtN5ZioTYuofVgmA
sbdOuZTMwg6t44T8nY+L2zIrnp5YyTeZJSZeJUwb6bX/pgub21M0iC+ywXZ+6wFe
5slK5NOGCf4=
=apLR
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBM2SxOSh9+71yA2DNAQH6PAQAm7U//uz1GKNfZnCrIfYt090mLk22vMnk
c/vuTlXwATTJJQUXKcnW/qXibZneHD+fLIlAde79lKrMRHAWPUHibIeOCVA0PF1l
MpQITWtCMkdFRi4Jm+tNOL9wkURXc9k2q4O9mApjCkjaD38v1heSd8Q8gcH+uduP
P+57JSyTrUo=
=L9U4
-----END PGP SIGNATURE-----