Home page logo
/

bugtraq logo Bugtraq mailing list archives

Mod_Survey ENV tag vulnerability
From: Joel Palmius <joel.palmius () mh se>
Date: Fri, 28 Mar 2003 13:02:39 +0100 (CET)

Attached is a security advisory for Mod_Survey, which is a mod_perl module
for apache (see attachment). The advisory was first published 2003-03-23 
at http://gathering.itm.mh.se/modsurvey/SA20030323.txt

More info about Mod_Survey can be found on its home page, which is
available at http://gathering.itm.mh.se/modsurvey/

  // Joel



#################################################
Mod_Survey Security Advisory 2003-03-23, ENV tags
#################################################


ABOUT MOD_SURVEY
----------------
Mod_Survey is an Apache module which displays and handles questionnaires
written in a special XML-based markup language. Mod_Survey is primarily
targeted towards Linux/Unix, but is possible to run in Windows.


SUMMARY
-------
If ENV tags are used in surveys it is, under certain circumstances,
possible for an outside evil person to send arbitrary data to the
data handling system. This could corrupt the data repository or, 
in the case of badly configured RDBMSs, be used to execute arbitrary
database commands. 

This only affects survey files where ENV tags are used. 


ERROR CATEGORY
--------------
The error falls into the class "Input Validation Error". It is possible to 
exploit remotely.


VULNERABLE
----------
All versions from version 3.0.9 up to (but not including) 3.0.14e and
3.0.15-pre6 are vulnerable. Thus the following versions have the
problem:

  3.0.9
  3.0.10
  3.0.11
  3.0.12
  3.0.13
  3.0.14
  3.0.14d

  3.0.15-pre1
  3.0.15-pre2
  3.0.15-pre3
  3.0.15-pre4
  3.0.15-pre5

Not vulnerable:

  Versions 3.0.8 and earlier
  3.0.14e
  3.0.15-pre6


SOLUTION
--------
For systems with 3.0.14d or earlier installed, upgrade to 3.0.14e. 
For systems with versions from 3.0.15-pre1 to -pre5, upgrade to
3.0.15-pre6.

If you only have trusted users on the system, you can also simply refrain 
from using ENV tags. Surveys that do not include the ENV tags are not 
vulnerable. 


LONGER DISCUSSION
-----------------
In version 3.0.9, ENV tags were introduced as a way to submit data from 
the environment to the data repository along with the actual 
questionnaire answers. This is, when used at all, usually used for
gathering info such as from which IP the respondent has connected, or 
which user agent the respondent is using. 

So far this data has been sent unchecked to the data sub system. 
However, a malicious user could easily craft some of the most common 
environment variables and thus send arbitrary data to the system.

One example would be if the survey author is using an ENV tag with the 
field HTTP_USER_AGENT. The evil cracker could then change this string 
in his browser to something which he knew would corrupt the data
repository, such as the delimiting character for ASCIIFILE/AUTODATA save 
methods or meta characters for the DBI save method. 

In versions 3.0.14e and 3.0.15-pre6 this has been solved through the
encoding of the environment string. With this encoding all "dangerous"
characters are encoded to %XX where XX is the character's hex code.
Thus a semi-colon is submitted as %1B rather than as a semi-colon.


EXPLOIT
-------
Anyone can exploit this by changing the user_agent string in his browser.


IMPACT
------
There are several points limiting the impact of the problem: The ENV tag 
must be actively chosen and inserted by a survey author for the above to 
be a problem. Secondly, most fields are not possible to change from the 
outside as they are set by Apache. Thirdly, unless access is given to the 
source of the survey, there is no way to know from the outside whether an 
ENV tag is used at all. 


CREDITS
-------
The bug was first discovered and discussed on the mod_survey mailing list
by Nicklas Deutschmann.


  By Date           By Thread  

Current thread:
  • Mod_Survey ENV tag vulnerability Joel Palmius (Mar 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault