Search | WebPortal | Contact Us
Recent News

You can use the form below to search our site. Just enter the keywords to search.

Security Issues In CGINews And CGIForum
December 14, 2021

CGINews is a multi-user Web site news posting system written in Perl. Main features include: adding, updating, and deleting news entries, multi-user functionality, sections, access levels, logs, highly-configurable layout, file upload, binary attachments and more.

Weak Password Encryption:
The CGI News program does not use DES, MD5 or any other one way crypt algorithm. It instead uses a weak, decryptable method. Below is a script that can easily decrypt the passwords found in the programs *.pwl files. This issue is also present in CGIForum 1.09 by Markus Triska and can be used to decode CGIForum password files as well.

CGINews And CGIForum Password Decrypt Utility

Information Disclosure Vulnerability:
By default the users log files are viewable. username/username.log The only files not viewable by default are the .pwl files

Sat Dec 13 21:06:37 2003: jeiar changed password.
Sat Dec 13 21:10:21 2003: jeiar changed E-Mail/Syntax: test@blah/jeiar.
Sat Dec 13 21:10:54 2003: jeiar tried to change password.
Sat Dec 13 21:13:59 2003: jeiar uploaded file: C:\cmd.exe
Sat Dec 13 21:31:38 2003: jeiar uploaded file: C:\

You can add your own DES or MD5 encryption if you are familiar with PERL, and to solve the logfile problem simply add a .htaccess file that makes the directory not viewable. For example
AuthType Basic
AuthName "No access"
AuthUserFile .htnopasswd
AuthGroupFile /dev/null
Require valid-user
The author plans on including this type of .htaccess file in future versions, but does not have any plans on changing or strengthening the encryption method.

James Bercegay of the GulfTech Security Research Team.

Copyright 2004 GulfTech Research And Development, All Rights Reserved