Gnatsweb Security Advisory
       
      GNATS > GNATSWEB SECURITY ADVISORY JUN 26 2001

Gnatsweb Security Advisory
Versions affected
  Gnatsweb 2.7 beta 
  Gnatsweb 2.8.0 
  Gnatsweb 2.8.1 
  Gnatsweb 3.95 for GNATS 4, versions from CVS prior to Jun 26 2001 12:15 PDT. 
Description
In Gnatsweb 2.7 beta, a new help system was introduced. The standard help text 
was provided in a separate file named 'gnatsweb.html'. For some reason it was 
decided to allow the name of the help file to be customized, and it was possible 
to specify this filename by providing a value to the help_file parameter in a 
request URL. If a URL such as
http://www.whatever.whatever/cgi-bin/gnatsweb.pl?cmd=help&help_file=somefile.html
was used to access Gnatsweb, the file somefile.html would be served up as help 
text instead. The problem was that the value of this parameter was never checked 
before it was used in an OPEN statement.
Impact
By judicious use of special characters in the value of the help_file parameter, 
an attacker would be able to read the contents of any file or execute any 
command to which the web server process user had access.
Solution
Download and apply the patch for your version of Gnatsweb: 2.7 beta, 2.8.0, 
2.8.1. This fix hardcodes the name 'gnatsweb.html' for the help file and makes a 
slight modification to the way the file is opened.
Gnatsweb 3.95 is part of the yet-to-be-released GNATS 4 distribution. Versions 
checked out of the CVS repository on sources.redhat.com prior to Jun 26 2001 
12:15 PDT contain this bug. Users running such versions should check out a new 
version.
A new version of Gnatsweb incorporating this fix, numbered 2.8.2, is available 
from the FTP site on sources.redhat.com and from ftp.gnu.org and its mirrors.


      GNATS > GNATSWEB SECURITY ADVISORY JUN 26 2001

 
First published: Tuesday, 26-Jun-2001 20:46:00 MET DST
Last modified: Tuesday, 26-Jun-2001 22:15:00 MET DST
yngve.svendsen@clustra.com