Several security exploits were found in WebGUI 6.x releases this
week. If you are on WebGUI 6.7.3+ or any release prior to WebGUI 6.1.0
then you may disregard this advisory.
The holes discovered make
it possible for users to execute arbitrary perl code on your WebGUI
server if they are aware of the inner workings of WebGUI. Your best
strategy for plugging this security breach is to upgrade to WebGUI
6.7.3 immediately. However, we realize that not everyone is able to do
that, so we do have some alternatives:
First, patch the holes manually. There are three files that may need to be edited, depending upon your version.
Edit /data/WebGUI/lib/WebGUI/Operation/Help.pm
Add:
$namespace =~ s/[^\w\d\s]//g;
$id =~ s/[^\w\d\s\/]//g;
After:
my $namespace = shift;
In the _get() subroutine. Then edit /data/WebGUI/lib/WebGUI/International.pm
Add:
$id =~ s/[^\w\d\s\/]//g;
$language =~ s/[^\w\d\s\/]//g;
$namespace =~ s/[^\w\d\s\/]//g;
After
}
But before:
my $cmd = "WebGUI::i18n::".$language."::".$namespace;
in the get() subroutine. And finally, if you're using WebGUI 6.3+ you'll need to edit /data/WebGUI/lib/WebGUI.pm
Add:
unless ($method =~ /^[A-Za-z]+$/) {
WebGUI::ErrorHandler::security("tried to call a non-existent method $method on $assetUrl");
$method = "view";
}
After :
$method = $session{form}{func};
In the page() subroutine.
Second,
we have a script that will attempt to patch the holes automatically.
This script is not necessarily fool proof and it is provided without
warranties of any kind. Always back up your system before running any
scripts. After running the script you should still check the things
listed above to ensure that they've been completed properly. Find
the script attached. To run it just copy it to your server and type the
following:
perl fixSecurity.pl /data/WebGUI
Note that the third patch listed under the manual patching will not
be fixed by this script since it only applies to some 6.3+ and above.
You will have to patch that manually.
We cannot stress the importance of patching these problems. Your
best course of action is to upgrade to 6.7.3 immediately, but if you
cannot do that, please apply the above patches right away.