Joel Palmius
28/03/03, 21:20
Attached is a security advisory for Mod_Survey, which is a mod_perl module
for apache (see attachment). The advisory was first published 2003-03-23
at http://gathering.itm.mh.se/modsurvey/SA20030323.txt
More info about Mod_Survey can be found on its home page, which is
available at http://gathering.itm.mh.se/modsurvey/
// Joel
#################################################
Mod_Survey Security Advisory 2003-03-23, ENV tags
#################################################
ABOUT MOD_SURVEY
----------------
Mod_Survey is an Apache module which displays and handles questionnaires
written in a special XML-based markup language. Mod_Survey is primarily
targeted towards Linux/Unix, but is possible to run in Windows.
SUMMARY
-------
If ENV tags are used in surveys it is, under certain circumstances,
possible for an outside evil person to send arbitrary data to the
data handling system. This could corrupt the data repository or,
in the case of badly configured RDBMSs, be used to execute arbitrary
database commands.
This only affects survey files where ENV tags are used.
ERROR CATEGORY
--------------
The error falls into the class "Input Validation Error". It is possible to
exploit remotely.
VULNERABLE
----------
All versions from version 3.0.9 up to (but not including) 3.0.14e and
3.0.15-pre6 are vulnerable. Thus the following versions have the
problem:
3.0.9
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.14d
3.0.15-pre1
3.0.15-pre2
3.0.15-pre3
3.0.15-pre4
3.0.15-pre5
Not vulnerable:
Versions 3.0.8 and earlier
3.0.14e
3.0.15-pre6
SOLUTION
--------
For systems with 3.0.14d or earlier installed, upgrade to 3.0.14e.
For systems with versions from 3.0.15-pre1 to -pre5, upgrade to
3.0.15-pre6.
If you only have trusted users on the system, you can also simply refrain
from using ENV tags. Surveys that do not include the ENV tags are not
vulnerable.
LONGER DISCUSSION
-----------------
In version 3.0.9, ENV tags were introduced as a way to submit data from
the environment to the data repository along with the actual
questionnaire answers. This is, when used at all, usually used for
gathering info such as from which IP the respondent has connected, or
which user agent the respondent is using.
So far this data has been sent unchecked to the data sub system.
However, a malicious user could easily craft some of the most common
environment variables and thus send arbitrary data to the system.
One example would be if the survey author is using an ENV tag with the
field HTTP_USER_AGENT. The evil cracker could then change this string
in his browser to something which he knew would corrupt the data
repository, such as the delimiting character for ASCIIFILE/AUTODATA save
methods or meta characters for the DBI save method.
In versions 3.0.14e and 3.0.15-pre6 this has been solved through the
encoding of the environment string. With this encoding all "dangerous"
characters are encoded to %XX where XX is the character's hex code.
Thus a semi-colon is submitted as %1B rather than as a semi-colon.
EXPLOIT
-------
Anyone can exploit this by changing the user_agent string in his browser.
IMPACT
------
There are several points limiting the impact of the problem: The ENV tag
must be actively chosen and inserted by a survey author for the above to
be a problem. Secondly, most fields are not possible to change from the
outside as they are set by Apache. Thirdly, unless access is given to the
source of the survey, there is no way to know from the outside whether an
ENV tag is used at all.
CREDITS
-------
The bug was first discovered and discussed on the mod_survey mailing list
by Nicklas Deutschmann.
for apache (see attachment). The advisory was first published 2003-03-23
at http://gathering.itm.mh.se/modsurvey/SA20030323.txt
More info about Mod_Survey can be found on its home page, which is
available at http://gathering.itm.mh.se/modsurvey/
// Joel
#################################################
Mod_Survey Security Advisory 2003-03-23, ENV tags
#################################################
ABOUT MOD_SURVEY
----------------
Mod_Survey is an Apache module which displays and handles questionnaires
written in a special XML-based markup language. Mod_Survey is primarily
targeted towards Linux/Unix, but is possible to run in Windows.
SUMMARY
-------
If ENV tags are used in surveys it is, under certain circumstances,
possible for an outside evil person to send arbitrary data to the
data handling system. This could corrupt the data repository or,
in the case of badly configured RDBMSs, be used to execute arbitrary
database commands.
This only affects survey files where ENV tags are used.
ERROR CATEGORY
--------------
The error falls into the class "Input Validation Error". It is possible to
exploit remotely.
VULNERABLE
----------
All versions from version 3.0.9 up to (but not including) 3.0.14e and
3.0.15-pre6 are vulnerable. Thus the following versions have the
problem:
3.0.9
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.14d
3.0.15-pre1
3.0.15-pre2
3.0.15-pre3
3.0.15-pre4
3.0.15-pre5
Not vulnerable:
Versions 3.0.8 and earlier
3.0.14e
3.0.15-pre6
SOLUTION
--------
For systems with 3.0.14d or earlier installed, upgrade to 3.0.14e.
For systems with versions from 3.0.15-pre1 to -pre5, upgrade to
3.0.15-pre6.
If you only have trusted users on the system, you can also simply refrain
from using ENV tags. Surveys that do not include the ENV tags are not
vulnerable.
LONGER DISCUSSION
-----------------
In version 3.0.9, ENV tags were introduced as a way to submit data from
the environment to the data repository along with the actual
questionnaire answers. This is, when used at all, usually used for
gathering info such as from which IP the respondent has connected, or
which user agent the respondent is using.
So far this data has been sent unchecked to the data sub system.
However, a malicious user could easily craft some of the most common
environment variables and thus send arbitrary data to the system.
One example would be if the survey author is using an ENV tag with the
field HTTP_USER_AGENT. The evil cracker could then change this string
in his browser to something which he knew would corrupt the data
repository, such as the delimiting character for ASCIIFILE/AUTODATA save
methods or meta characters for the DBI save method.
In versions 3.0.14e and 3.0.15-pre6 this has been solved through the
encoding of the environment string. With this encoding all "dangerous"
characters are encoded to %XX where XX is the character's hex code.
Thus a semi-colon is submitted as %1B rather than as a semi-colon.
EXPLOIT
-------
Anyone can exploit this by changing the user_agent string in his browser.
IMPACT
------
There are several points limiting the impact of the problem: The ENV tag
must be actively chosen and inserted by a survey author for the above to
be a problem. Secondly, most fields are not possible to change from the
outside as they are set by Apache. Thirdly, unless access is given to the
source of the survey, there is no way to know from the outside whether an
ENV tag is used at all.
CREDITS
-------
The bug was first discovered and discussed on the mod_survey mailing list
by Nicklas Deutschmann.