From delmonta@sodans.usata.org  Sun Sep 28 09:29:22 2003
Return-Path: <delmonta@sodans.usata.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0A77116A4B3
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 28 Sep 2003 09:29:22 -0700 (PDT)
Received: from sodans.usata.org (sodans.usata.org [61.211.239.46])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 696744403B
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 28 Sep 2003 09:29:21 -0700 (PDT)
	(envelope-from delmonta@sodans.usata.org)
Received: by sodans.usata.org (Postfix, from userid 1000)
	id 7770EA97F; Mon, 29 Sep 2003 01:29:20 +0900 (JST)
Message-Id: <20030928162920.7770EA97F@sodans.usata.org>
Date: Mon, 29 Sep 2003 01:29:20 +0900 (JST)
From: IIJIMA Hiromitsu <delmonta@ht.sakura.ne.jp>
Reply-To: IIJIMA Hiromitsu <delmonta@ht.sakura.ne.jp>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: CGI.pm in 4.x base system has a cross-site scripting vulneravility
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         57321
>Category:       bin
>Synopsis:       CGI.pm in 4.x base system has a cross-site scripting vulneravility
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    markm
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Sep 28 09:30:16 PDT 2003
>Closed-Date:    Mon Mar 28 12:49:45 GMT 2005
>Last-Modified:  Mon Mar 28 12:49:45 GMT 2005
>Originator:     IIJIMA Hiromitsu
>Release:        FreeBSD 4.7-RELEASE-p3 i386
>Organization:
DENNOU GEDOU GAKKAI, N. D. D. http://www.dennougedougakkai-ndd.org
>Environment:
System: FreeBSD sodans.usata.org 4.7-RELEASE-p3 FreeBSD 4.7-RELEASE-p3 #0: Wed Jan 22 14:50:19 JST 2003 root@www.my.domain:/usr/src/sys/compile/RENTALv6 i386

Userland is upgraded to -p16, while the kernel is still -p3.

>Description:
	A cross-site scripting vulnerability is reported in CGI.pm.
	All of the following are affected:
		- 4.x base system's perl 5.005_03
		- ports/japanese/perl5 (5.005_03 with Japanese patch)
		- ports/lang/perl5 (5.6.1)
		- ports/lang/perl5.8 (5.8.0)

	I'll send separate PRs for japanese/perl5 and lang/perl5*.

>How-To-Repeat:
	See the exploit code at:
	http://marc.theaimsgroup.com/?l=bugtraq&m=105880349328877&w=2

>Fix:
	Replace CGI.pm with the latest version from CPAN,
	or install ports/www/p5-CGI.pm.
>Release-Note:
>Audit-Trail:

From: IIJIMA Hiromitsu <delmonta@ht.sakura.ne.jp>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/57321: CGI.pm in 4.x base system has a cross-site scripting 
 vulneravility
Date: Mon, 29 Sep 2003 01:49:33 +0900

 Labelled as CAN-2003-0615 and more information is available at:
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0615
Responsible-Changed-From-To: freebsd-bugs->so 
Responsible-Changed-By: matusita 
Responsible-Changed-When: Mon Sep 29 23:07:44 PDT 2003 
Responsible-Changed-Why:  
Assigned to the security officer since it is a base-system security problem. 
See also bin/57315 that reports Safe.pm vulnerability. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=57321 

From: IIJIMA Hiromitsu <delmonta@ht.sakura.ne.jp>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/57321: CGI.pm in 4.x base system has a cross-site scripting 
 vulneravility
Date: Tue, 30 Sep 2003 18:10:48 +0900

 In ports/lang/perl5* (perl versions 5.6.1 and 5.8.0), this issue was solved.
 Please see latest ports/lang/perl5*/files/patch/patch-CGI.pm and PR ports/57391.

From: IIJIMA Hiromitsu <delmonta@ht.sakura.ne.jp>
To: freebsd-gnats-submit@FreeBSD.org
Cc: so@freebsd.org, shige@freebsd.org
Subject: Re: bin/57321: CGI.pm in 4.x base system has a cross-site scripting 
 vulneravility
Date: Thu, 02 Oct 2003 01:12:55 +0900

 ** POSTING TO PR ports/57390 TOO **
 
 1.
 It seems perl 5.005_03 is not affected on all circumstances I have access to,
 but it might still be affected on other situations.
 
 When we give the URL like:
         http://host/xss.cgi?">some%20text<!--%20
 
 the original code 
 >  $action = $action ? qq/ACTION="$action"/ : $method eq 'GET' ?
 >     'ACTION="'.$self->script_name.'"' : '';
 uses script_name() subroutine, which returns only '/xss.cgi', not the complete
 URL '/xss.cgi?">some%20text<!--%20', at least when used with Apache 1.3.28.
 
 (i.e. Perl 5.6+ and latest ports/www/p5-CGI.pm use complete URL for generating
  ACTION= part, but perl 5.005_03's original CGI.pm does not.)
 
 So the original code's output in this case is
    <FORM METHOD="POST" ACTION="/xss.cgi" (snip)>
 and therefore this exploit code does not work.
 
 But I don't know either
   - how other web servers are implemented
   - whether we have a way to give malformed script_name to CGI.pm
     with such servers.
 
 Therefore, the only thing I can tell is that it is unsafe to assume that
 script_name()'s return value never contains '"', '>', or '<' characters.
 
 
 2.
 I prepared two patches. Please apply one of them.
 
 The first patch is how tobez fixed this problem at ports/lang/perl{5,5.8}.
 This is a patch to substitute the affected code by CGI.pm 3.00's one.
 
 --- CGI.pm.orig Wed Sep 17 09:07:05 2003
 +++ CGI.pm      Wed Oct  1 23:40:10 2003
 @@ -1413,8 +1413,13 @@
 
      $method = $method || 'POST';
      $enctype = $enctype || &URL_ENCODED;
 -    $action = $action ? qq/ACTION="$action"/ : $method eq 'GET' ?
 -       'ACTION="'.$self->script_name.'"' : '';
 +    unless (defined $action) {
 +       $action = $self->escapeHTML($self->url(-absolute=>1,-path=>1));
 +       if (length($ENV{QUERY_STRING})>0) {
 +           $action .= "?".$self->escapeHTML($ENV{QUERY_STRING},1);
 +       }
 +    }
 +    $action = qq(action="$action");
      my($other) = @other ? " @other" : '';
      $self->{'.parametersToAdd'}={};
      return qq/<FORM METHOD="$method" $action ENCTYPE="$enctype"$other>\n/;
 
 Applying the patch above will change the behavior of start_form() to use
 complete URL rather than script name only, so if you don't want to change it,
 please apply the second patch below.
 
 --- CGI.pm.orig Wed Sep 17 09:07:05 2003
 +++ CGI.pm      Thu Oct  2 00:46:52 2003
 @@ -1414,7 +1414,7 @@
      $method = $method || 'POST';
      $enctype = $enctype || &URL_ENCODED;
      $action = $action ? qq/ACTION="$action"/ : $method eq 'GET' ?
 -       'ACTION="'.$self->script_name.'"' : '';
 +       'ACTION="'.$self->escapeHTML($self->script_name).'"' : '';
      my($other) = @other ? " @other" : '';
      $self->{'.parametersToAdd'}={};
      return qq/<FORM METHOD="$method" $action ENCTYPE="$enctype"$other>\n/;
Responsible-Changed-From-To: so->markm 
Responsible-Changed-By: matusita 
Responsible-Changed-When: Thu Oct 2 06:04:30 PDT 2003 
Responsible-Changed-Why:  
Nectar says that it should be assigned to the FreeBSD 4.x perl maintainer. 
Markm, would you please take care of this PR?  (I believe that you're 
still the maintainer of perl on the FreeBSD base system.) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=57321 

From: IIJIMA Hiromitsu <delmonta@ht.sakura.ne.jp>
To: freebsd-gnats-submit@FreeBSD.org, markm@FreeBSD.org
Cc: shige@freebsd.org
Subject: Re: bin/57321: CGI.pm in 4.x base system has a cross-site scripting 
 vulneravility
Date: Fri, 03 Oct 2003 16:37:55 +0900

 The second patch seems incomplete, since the patch leaves qq/ACTION="$action"
 part as is.
 
 Mr. Shigeyuki Fukushima, the ports/japanese/perl5 maintainer, suggested me
 the above thing while we are discussing the same problem in japanese/perl5
 (see PR ports/57390). And he says escape() is better than escapeHTML().
 
 The suggestion (in Japanese) is at:
 http://home.jp.FreeBSD.org/cgi-bin/showmail/ports-jp/14200
 
 Therefore, the revised version of the second patch is:
 
 --- CGI.pm.orig Wed Sep 17 09:07:05 2003
 +++ CGI.pm      Thu Oct  2 00:46:52 2003
 @@ -1414,7 +1414,7 @@
      $method = $method || 'POST';
      $enctype = $enctype || &URL_ENCODED;
 -    $action = $action ? qq/ACTION="$action"/ : $method eq 'GET' ?
 -       'ACTION="'.$self->script_name.'"' : '';
 +    $action = $action ? 'ACTION="'.$self->escape($action).'"' : $method eq 'GET' ?
 +       'ACTION="'.$self->escape($self->script_name).'"' : '';
      my($other) = @other ? " @other" : '';
      $self->{'.parametersToAdd'}={};
      return qq/<FORM METHOD="$method" $action ENCTYPE="$enctype"$other>\n/;

From: IIJIMA Hiromitsu <delmonta@ht.sakura.ne.jp>
To: freebsd-gnats-submit@FreeBSD.org, markm@FreeBSD.org,
	shige@FreeBSD.org
Cc:  
Subject: Re: bin/57321: CGI.pm in 4.x base system has a cross-site scripting 
 vulneravility
Date: Fri, 03 Oct 2003 22:19:11 +0900

 > Mr. Shigeyuki Fukushima
 ...
 > says escape() is better than escapeHTML().
 
 Using escape() is not appropriate, since it escapes even '/'. For example,
 if we make a call like $cgi->start_form(-action=>'/~username/foo.cgi'),
 escape() results in '%2F%7Eusername%2Ffoo.cgi', which will not works work
 on most web servers.
 
 New patch.
 
 --- CGI.pm.orig Wed Sep 17 09:07:05 2003
 +++ CGI.pm      Thu Oct  2 00:46:52 2003
 @@ -1414,7 +1414,7 @@
      $method = $method || 'POST';
      $enctype = $enctype || &URL_ENCODED;
 -    $action = $action ? qq/ACTION="$action"/ : $method eq 'GET' ?
 -       'ACTION="'.$self->script_name.'"' : '';
 +    $action = $action ? 'ACTION="'.$self->escapeHTML($action).'"' : $method eq 'GET' ?
 +       'ACTION="'.$self->escapeHTML($self->script_name).'"' : '';
      my($other) = @other ? " @other" : '';
      $self->{'.parametersToAdd'}={};
      return qq/<FORM METHOD="$method" $action ENCTYPE="$enctype"$other>\n/;

From: IIJIMA Hiromitsu <delmonta@ht.sakura.ne.jp>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/57321: CGI.pm in 4.x base system has a cross-site scripting 
 vulneravility
Date: Sat, 04 Oct 2003 03:03:33 +0900

 PR ports/57390 (japanese/perl5 counterpart of this problem) was closed with
 my last patch (Fri, 03 Oct 2003 22:19:11 +0900 one).
State-Changed-From-To: open->closed 
State-Changed-By: markm 
State-Changed-When: Mon Mar 28 12:47:03 GMT 2005 
State-Changed-Why:  
CGI.pm in the base tree is off-the-beaten-track. If this really 
is a threat, I'd recommend removing it, but the code is deprecated 
anyway. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=57321 
>Unformatted:
