Package: cgi-scripts Version: 1.0.9 Severity: grave Several example scripts in the 'cgi-scripts' package pass information supplied by the remote user via unquoted strings. The failure to quote these strings introduces a severe potential vulnerability. Although some web servers may provide some first-line protection against glaring exploits of this situation, none provide truly secure protection for this.
The worst case scenario is that arbitrary information could be passed to the shell running with the privileges of the user (or pseudo-user) who owns the web server process. That could allow compromises of the 'cat /etc/passwd' sort, and could conceivably allow a remote user to gain information about directory structures and other sensitive information on the filesystem outside the document root. If there are suid programs on the local filesystem, these could conceivably be executed on behalf of the remote user through the web server. For example, the 'calendar' utility passes the '$*' variable unquoted as the argument to the 'cal' program, and the 'nph-test-cgi' utility passes '$QUERY_STRING' and several other such critical variables unquoted. If the remote user is able to insert certain dangerous special characters which have significance to the shell, such as backquote, semicolon, asterisk, and so on, then serious security compromises are possible. The exact extent of the vulnerability and ease of exploitation depends upon the configuration of the particular web server. There are no cases in which it is desirable to leave strings unquoted. Note that this issue affects both 1.0.10 (potato/unstable) and 1.0.9 (slink/stable). Although some of these issues were corrected in 1.0.10, such as the 'nph-test-cgi' problem, some remain, such as the 'calendar' problem. Regardless, the security problems here in combination with low probability of consequent bug propagation in this situation warrant a correction to the stable tree in addition to the unstable tree. -- Mike
