Bug 57390

Summary: CGI.pm in ports/japanese/perl5 has a cross-site scripting vulneravility
Product: Ports & Packages Reporter: IIJIMA Hiromitsu <delmonta>
Component: Individual Port(s)Assignee: shige <shige>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description IIJIMA Hiromitsu 2003-09-30 06:20:13 UTC 
	** THIS IS A REPOST OF PR bin/57322,
		since I labelled wrong Category: line **

        A cross-site scripting vulnerability is reported in CGI.pm.
        All of the following are affected:
                - 4.x base system's perl 5.005_03
                - ports/japanese/perl5 (5.005_03 with Japanese patch)
                - ports/lang/perl5 (5.6.1)
                - ports/lang/perl5.8 (5.8.0)

        I sent separate PR for 4.x base system (PR bin/57321)
	and will send another for lang/perl5*.

Fix: 

1. Currently, the only perfect solution is to replace CGI.pm with
           a newer one.

        2. It is safe to avoid using CGI.pm's start_form() until
	   PR ports/57302 is accepted.

        3. Just installing ports/www/p5-CGI.pm or latest version at CPAN does
           not solve the problem, since jperl finds the old CGI.pm in standard
           perl distribution, before searching site_perl folders where newer
           CGI.pm is installed.
           This problem will be solved if PR ports/57302 is accepted.

        4. If you do want to use start_form(), either
                - all local users are urged to make sure by themselves that
                  newer CGI.pm will be used, by using -I command-line option
                  or manipulating @INC array.
                - it may be possible to solve the problem by linking newer
		  CGI.pm to newer one by the following commands:
                        % su
                        # cd /usr/local/lib/perl5/5.00503
                        # ln -sf ../site_perl/5.005/CGI.pm .
How-To-Repeat:         See the exploit code at:
        http://marc.theaimsgroup.com/?l=bugtraq&m=105880349328877&w=2
Comment 1 Kirill Ponomarev freebsd_committer freebsd_triage 2003-09-30 06:25:14 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->shige

Over to maintainer
Comment 2 IIJIMA Hiromitsu 2003-09-30 06:26:15 UTC 
Sorry, I reposted this without checking that PRs bin/57322 and PR bin/57323
are renumbered as ports/57322 and ports/57323.

Therefore, PRs ports/57390 and ports/57391 are now just the duplicates.
Please close them and solve ports/57322 and ports/57323.
Comment 3 IIJIMA Hiromitsu 2003-09-30 10:05:03 UTC 
1.
PR ports/57322 was closed because it was 'superceded by ports/57390',
so please solve this issue.

2.
This issue was fixed for ports/lang/perl5{,8}.
Please see latest ports/lang/perl5{,8}/files/patch-CGI.pm and PR ports/57391.
Comment 4 IIJIMA Hiromitsu 2003-10-01 15:47:26 UTC 
As tobez fixed in ports/lang/perl{5,5.8}, I made a patch to substitute
the affected code by CGI.pm 3.00's one.

--- CGI.pm.orig Wed Sep 17 09:07:05 2003
+++ CGI.pm      Wed Oct  1 23:40:10 2003
@@ -1413,8 +1413,13 @@

     $method = $method || 'POST';
     $enctype = $enctype || &URL_ENCODED;
-    $action = $action ? qq/ACTION="$action"/ : $method eq 'GET' ?
-       'ACTION="'.$self->script_name.'"' : '';
+    unless (defined $action) {
+       $action = $self->escapeHTML($self->url(-absolute=>1,-path=>1));
+       if (length($ENV{QUERY_STRING})>0) {
+           $action .= "?".$self->escapeHTML($ENV{QUERY_STRING},1);
+       }
+    }
+    $action = qq(action="$action");
     my($other) = @other ? " @other" : '';
     $self->{'.parametersToAdd'}={};
     return qq/<FORM METHOD="$method" $action ENCTYPE="$enctype"$other>\n/;
Comment 5 IIJIMA Hiromitsu 2003-10-01 17:02:17 UTC 
1.
It seems perl 5.005_03 is not affected on all circumstances I have access to,
but it might still be affected on other situations.

When we give the URL like:
	http://host/xss.cgi?">some%20text<!--%20

the original code 
>  $action = $action ? qq/ACTION="$action"/ : $method eq 'GET' ?
>     'ACTION="'.$self->script_name.'"' : '';
uses script_name() subroutine, which returns only '/xss.cgi', not the complete
URL '/xss.cgi?">some%20text<!--%20', at least when used with Apache 1.3.28.

(i.e. Perl 5.6+ and latest ports/www/p5-CGI.pm use complete URL for generating
 ACTION= part, but perl 5.005_03's original CGI.pm does not.)

So the original code's output in this case is
   <FORM METHOD="POST" ACTION="/xss.cgi" (snip)>
and therefore this exploit code does not work.

But I don't know either
	- how other web servers are implemented
	- whether we have a way to give malformed script_name to CGI.pm
	  with such browsers.

Therefore, the only thing I can tell is that it is unsafe to assume that
script_name()'s return value never contains '"', '>', or '<' characters.



2.
Applying the patch posted on 01 Oct 2003 23:47:26 +0900 will change the
behavior of start_form() to use complete URL rather than script name only,
so if you don't want to change it, please apply the following patch:

--- CGI.pm.orig Wed Sep 17 09:07:05 2003
+++ CGI.pm      Thu Oct  2 00:46:52 2003
@@ -1414,7 +1414,7 @@
     $method = $method || 'POST';
     $enctype = $enctype || &URL_ENCODED;
     $action = $action ? qq/ACTION="$action"/ : $method eq 'GET' ?
-       'ACTION="'.$self->script_name.'"' : '';
+       'ACTION="'.$self->escapeHTML($self->script_name).'"' : '';
     my($other) = @other ? " @other" : '';
     $self->{'.parametersToAdd'}={};
     return qq/<FORM METHOD="$method" $action ENCTYPE="$enctype"$other>\n/;
Comment 6 shige freebsd_committer freebsd_triage 2003-10-03 17:28:10 UTC 
State Changed
From-To: open->closed

Committed. Thanks!