Click here to register.

Security Exploit Found in 6.x Versions

Why WebGUI?
Pricing
wG v. HTML v. SP
F.A.Q.
Features
Demo
Section 508 Compliance
Download
Campaigns
Mascot
Success Stories

Security Exploit Found in 6.x Versions

User: JT
Date: 9/ 1/2005 1:39 pm
Views: 1190
Rating: 4    Rate [

+

|

-

]

Several security exploits were found in WebGUI 6.x releases this week. If you are on WebGUI 6.7.3+ or any release prior to WebGUI 6.1.0 then you may disregard this advisory.

The holes discovered make it possible for users to execute arbitrary perl code on your WebGUI server if they are aware of the inner workings of WebGUI. Your best strategy for plugging this security breach is to upgrade to WebGUI 6.7.3 immediately.  However, we realize that not everyone is able to do that, so we do have some alternatives:

First, patch the holes manually. There are three files that may need to be edited, depending upon your version.

Edit /data/WebGUI/lib/WebGUI/Operation/Help.pm

Add:

$namespace =~ s/[^\w\d\s]//g;
$id =~ s/[^\w\d\s\/]//g; 

After:

my $namespace = shift;

In the _get() subroutine. Then edit /data/WebGUI/lib/WebGUI/International.pm

Add:

 $id =~ s/[^\w\d\s\/]//g;
 $language =~ s/[^\w\d\s\/]//g;
 $namespace =~ s/[^\w\d\s\/]//g;

 After

}

But before:

my $cmd = "WebGUI::i18n::".$language."::".$namespace;

in the get() subroutine.  And finally, if you're using WebGUI 6.3+ you'll need to edit /data/WebGUI/lib/WebGUI.pm

Add:

unless ($method =~ /^[A-Za-z]+$/) {
  WebGUI::ErrorHandler::security("tried to call a non-existent method $method on $assetUrl");
  $method = "view";
}

After :

$method = $session{form}{func};

In the page() subroutine.

 

Second, we have a script that will attempt to patch the holes automatically. This script is not necessarily fool proof and it is provided without warranties of any kind. Always back up your system before running any scripts. After running the script you should still check the things listed above to ensure that they've been completed properly.  Find the script attached. To run it just copy it to your server and type the following:

perl fixSecurity.pl /data/WebGUI 

Note that the third patch listed under the manual patching will not be fixed by this script since it only applies to some 6.3+ and above. You will have to patch that manually. 

We cannot stress the importance of patching these problems. Your best course of action is to upgrade to 6.7.3 immediately, but if you cannot do that, please apply the above patches right away.

 



PreviousBackNext