[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : File deletion and other bugs in Auction Weaver LITE 1.0 - 1.04

Title: File deletion and other bugs in Auction Weaver LITE 1.0 - 1.04
Released by: Steve Christey
Date: 16th October 2000
Printable version: Click here
File deletion and other bugs in Auction Weaver LITE 1.0 - 1.04


Title: File deletion and other bugs in Auction Weaver LITE 1.0 - 1.04

Author: Steve Christey (coley@mitre.org)

Date Published: October 16, 2000

Product Name: Auction Weaver LITE

Affected Versions: 1.0 through 1.04

Affected Operating Systems: Unix and Windows NT

Product URL: http://www.cgiscriptcenter.com/awl/

Vendor Name: CGI Script Center

Vendor URL: http://www.cgiscriptcenter.com/

Vendor Email: support@cgiscriptcenter.com

Impact: delete and read arbitrary files

Remotely Exploitable: yes

Locally Exploitable: no

Patch Available: yes

Patched Version: Auction Weaver 1.05

Patch URL: http://www.cgiscriptcenter.com/awl/

Bugtraq ID's: 1782, 1783



CVE Candidate Numbers: CAN-2000-0810, CAN-2000-0811





Auction Weaver LITE is a CGI program written in Perl.  It allows users

to create and host auctions on their web site.

Auction Weaver LITE 1.0 through 1.04 was discovered to contain several

vulnerabilities that allow remote attackers to create, read, or delete

arbitrary files with the privileges of the Auction Weaver process.

These vulnerabilities are different than the ones described by

Meliksah Ozoral and teleh0r in several Bugtraq posts during August

2000 [see references below].  All of the vulnerabilities are commonly

found in CGI scripting programs.

These vulnerabilities were successfully exploited using a default

installation of Auction Weaver on a Solaris 7 box.  However, all

platforms are vulnerable.

The vendor has been notified and a patch is available.



Auction Weaver 1.05 fixes all of the vulnerabilities described in this

advisory.  Upgrade to Auction Weaver 1.05 at:


A complete workaround is not possible for the arbitrary file deletion

problem, so users should upgrade to version 1.05.

Additional Vulnerability Details


These vulnerabilities were discovered while attempting to determine

whether CGI Script Center had patched the previously announced

vulnerabilities.  (While some acknowledgement was posted on the

vendor's web site, it did not provide sufficient details to be certain

that all of the identified problems had been fixed).

The Common Vulnerabilities and Exposures (CVE) project has assigned

unique names to each of these vulnerabilities.  They are candidates

for inclusion in the CVE list, which standardizes names for security

problems.  See http://cve.mitre.org/

The Security Focus VulnHelp service has also assigned Bugtraq ID's to

these vulnerabilities.  See http://www.securityfocus.com/vdb/

1) File/directory deletion with malicious form field names containing ..

   CVE candidate: CAN-2000-0810

   Bugtraq ID: 1782

  In Auction Weaver 1.0 through 1.04, a remote attacker can delete

  arbitrary directories, and files within them, with the privileges of

  the Auction Weaver process.  This vulnerability is due to a lack of

  sanity checking of the names of the form fields.  Due to the nature

  of the bug, files can be deleted outside of the web document root

  using .. notation.  Even if the filenames were properly cleansed of

  .. problems, however, non-administrators would still be able to

  delete auction information, because the vulnerable function is not

  password protected.

  The extent of this vulnerability is slightly mitigated by the fact

  that if the targeted directory contains subdirectories, the script

  may fail once it attempts to delete that subdirectory.  However, it

  may have deleted other files before reaching that subdirectory.

2) Arbitrary file reading and creation with .. in username and bidfile

   CVE candidate: CAN-2000-0811

   Bugtraq ID: 1783

  In Auction Weaver 1.0 through 1.04, a remote attacker can read and

  create arbitrary files in arbitrary directories with the same

  privileges as the Auction Weaver process.  The attacker can not

  fully control the contents of the file.

  The vulnerable script does not properly cleanse two form fields

  (username and bidfile) whose values are later used in constructing

  file pathnames.  These form fields are different than those

  described in previous Bugtraq posts, but it is the same kind of

  vulnerability.  An attacker can insert a .. into the field's value

  to access files outide of the data directory.

  The scope of the problem would be limited to file names with .dat

  extensions, except the program is written in Perl and does not

  filter out null characters.  Thus the attacker can insert a null

  character at the end of the filename as specified in the form,

  effectively bypassing the .dat extension that is later appended to

  the filename.

3) Incomplete patching of catdir and fromfile .. vulnerabilities

   CVE candidate: CAN-2000-0686 (already assigned)

   Bugtraq ID: 1630

  Auction Weaver 1.04 does not completely fix the .. vulnerabilities

  in the "catdir" and "fromfile" form fields, which was described by

  Meliksah Ozoral in a Bugtraq post on August 23, 2000 [1].  As

  originally described, these fields allowed file reading; however,

  they also allow file deletion.

  In version 1.04, the regular expression for removing ".." from

  filenames is not properly specified.  Only files in the parent of

  the data directory can be read or deleted.  However, in the default

  installation of Auction Weaver, the parent directory includes the

  server script itself.  The script itself could be deleted, or the

  administrative password could be read from it.



The following vulnerabilities were discovered in earlier versions of

Auction Weaver.  They are listed here to distinguish them from the new

vulnerabilities discussed in this advisory.

[1] Directory traversal in version 1.02 via catdir form field.

    Bugtraq post by Meliksah Ozoral on August 23, 2000, titled

    "Auction WeaverT LITE 1.0" (subject is also listed as

    "=?iso-8859-9?Q?Auction_WeaverT_LITE_1.0?=" in some archives)

    URL: http://www.securityfocus.com/archive/1/78458

    Bugtraq ID: 1630

    CVE candidate name: CAN-2000-0690

[2] Execute commands with shell metacharacters in fromfile form field

    in version 1.02.

    Bugtraq post by teleh0r on August 30, 2000, titled "More problems

    with Auction Weaver & CGI Script Center."

    URL: http://www.securityfocus.com/archive/1/79452

    Bugtraq ID: 1645

    CVE candidate name: CAN-2000-0687

Disclosure Process


These vulnerabilities were disclosed to the vendor, and to the public,

with guidance from Rain Forest Puppy's Issue disclosure policy (aka

RFPolicy) at http://www.wiretrip.net/rfp/policy.html.  In addition,

this advisory follows emerging best practices for the responsible

disclosure of new vulnerability information.


   Email was sent to the vendor at the suggested email addresses

   referenced in RFPolicy, i.e.: securityalert, secure, security,

   support, and info@cgiscriptcenter.com.  The email provided all

   known details of the vulnerabilities, including exploits and fixes.

   A brief alert was also submitted to the online contact web page.

   The subject header included the phrase "Serious security


   The email included contact information such as name, title,

   organization, and phone number.

   Guidance was provided to the vendor to ensure that the

   vulnerabilities were properly patched.


   Public announcement of the vulnerabilities was delayed until the

   vendor had a patch available and its customers were notified.

   This advisory includes commonly used identifiers (Bugtraq ID's and

   CVE candidate names) to support cross-referencing and to

   distinguish these vulnerabilities from others.

   The Security Focus VulnHelp service was consulted to obtain the

   Bugtraq ID's.  For more information or assistance in drafting

   advisories, please email vulnhelp@securityfocus.com.


   Sufficient technical details are provided in this advisory so that

   security researchers and system administrators can understand the

   nature of the problems and distinguish them from similar problems.

   Exploit code is not included with this advisory.  However, all

   exploit materials were provided to the vendor.

Event Log


Sep 16, 2000:

- initial discovery

- notified vendor

  - email to support@cgiscriptcenter.com and others

  - short post to the online contact form

Sep 18, 2000:

- Vendor responded from both contact points (on the next business

  day).  Additional details provided to vendor

- Vendor disabled downloads for the vulnerable software

Sep 20, 2000:

- Sent email to vendor requesting a status update

- Received a response that the vendor is still working on fixes

Sep 21, 2000:

- Vendor email that problems have been fixed, requested clarification

- Sent clarification

Sep 22, 2000:

- Vendor submitted new version for review

- Sent additional feedback

Sep 23, 2000:

- Vendor completed fixes, sent for final review

Sep 25, 2000:

- Final review complete

- Vendor released new version

- Advisory written and sent to vendor for review

- Obtained CVE candidate names for advisory

Sep 26, 2000:

- Advisory approved by vendor

Oct 5, 2000:

- Advisory submitted to VulnHelp for review and Bugtraq ID's

Oct 12, 2000:

- Bugtraq ID's obtained from VulnHelp

Oct 16, 2000:

- Advisory submitted to Bugtraq, NTBugtraq, and CERT/CC

(C) 1999-2000 All rights reserved.