[Snort-sigs] SID 882
ANAVRATIL at ...440...
Tue Mar 12 19:29:15 EST 2002
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
Summary: WEB-CGI CALENDAR ACCESS
Impact: Potentially harmful execution of binaries through perl open()
Detailed Information: An open source calendar perl script by Matt Kruse,
Allows commands to be executed without input verification using the perl
open() function. ie /cgi-bin/calendar_admin.pl place the string "|ping
127.0.0.1|" in the configuration file field, this executes the command "ping
Attack Scenarios: Some one can execute binaries on your machine without user
validation, "/cgi-bin/calendar_admin.pl" then on the resultant page, there
is a prompt for username, password, and configuration file. Ignore the
username and password field and type a command in the configuration file
field escaped with pipe symbols "||" will execute; ie "|mail /etc/passwd|"
as you can see A HUGE PROBLEM!
Ease of Attack: As easy as typing text in a browser
False Positives: If your webserver has pages by the name of calendar*
False Negatives: not known
Corrective Action: Download a newer version of the cgi
Contributors: Aaron Navratil
More information about the Snort-sigs