From delmonta@sodans.usata.org  Mon Sep 29 22:13:53 2003
Return-Path: <delmonta@sodans.usata.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3960216A4B3
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 29 Sep 2003 22:13:53 -0700 (PDT)
Received: from sodans.usata.org (sodans.usata.org [61.211.239.46])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9E43A44011
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 29 Sep 2003 22:13:52 -0700 (PDT)
	(envelope-from delmonta@sodans.usata.org)
Received: by sodans.usata.org (Postfix, from userid 1000)
	id 575EDA97F; Tue, 30 Sep 2003 14:13:51 +0900 (JST)
Message-Id: <20030930051351.575EDA97F@sodans.usata.org>
Date: Tue, 30 Sep 2003 14:13:51 +0900 (JST)
From: IIJIMA Hiromitsu <delmonta@ht.sakura.ne.jp>
Reply-To: IIJIMA Hiromitsu <delmonta@ht.sakura.ne.jp>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: CGI.pm in ports/japanese/perl5 has a cross-site scripting vulneravility
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         57390
>Category:       ports
>Synopsis:       CGI.pm in ports/japanese/perl5 has a cross-site scripting vulneravility
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    shige
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Sep 29 22:20:13 PDT 2003
>Closed-Date:    Fri Oct 03 09:28:41 PDT 2003
>Last-Modified:  Fri Oct 03 09:28:41 PDT 2003
>Originator:     IIJIMA Hiromitsu
>Release:        FreeBSD 4.7-RELEASE-p3 i386
>Organization:
DENNOU GEDOU GAKKAI, N. D. D. http://www.dennougedougakkai-ndd.org
>Environment:
System: FreeBSD sodans.usata.org 4.7-RELEASE-p3 FreeBSD 4.7-RELEASE-p3 #0: Wed Jan 22 14:50:19 JST 2003 root@www.my.domain:/usr/src/sys/compile/RENTALv6 i386

Userland is upgraded to -p16, while the kernel is still -p3.

>Description:
	** THIS IS A REPOST OF PR bin/57322,
		since I labelled wrong Category: line **

        A cross-site scripting vulnerability is reported in CGI.pm.
        All of the following are affected:
                - 4.x base system's perl 5.005_03
                - ports/japanese/perl5 (5.005_03 with Japanese patch)
                - ports/lang/perl5 (5.6.1)
                - ports/lang/perl5.8 (5.8.0)

        I sent separate PR for 4.x base system (PR bin/57321)
	and will send another for lang/perl5*.

>How-To-Repeat:
        See the exploit code at:
        http://marc.theaimsgroup.com/?l=bugtraq&m=105880349328877&w=2

>Fix:
        1. Currently, the only perfect solution is to replace CGI.pm with
           a newer one.

        2. It is safe to avoid using CGI.pm's start_form() until
	   PR ports/57302 is accepted.

        3. Just installing ports/www/p5-CGI.pm or latest version at CPAN does
           not solve the problem, since jperl finds the old CGI.pm in standard
           perl distribution, before searching site_perl folders where newer
           CGI.pm is installed.
           This problem will be solved if PR ports/57302 is accepted.

        4. If you do want to use start_form(), either
                - all local users are urged to make sure by themselves that
                  newer CGI.pm will be used, by using -I command-line option
                  or manipulating @INC array.
                - it may be possible to solve the problem by linking newer
		  CGI.pm to newer one by the following commands:
                        % su
                        # cd /usr/local/lib/perl5/5.00503
                        # ln -sf ../site_perl/5.005/CGI.pm .
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->shige  
Responsible-Changed-By: krion 
Responsible-Changed-When: Mon Sep 29 22:25:14 PDT 2003 
Responsible-Changed-Why:  
Over to maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=57390 

From: IIJIMA Hiromitsu <delmonta@ht.sakura.ne.jp>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: ports/57390: CGI.pm in ports/japanese/perl5 has a cross-site 
 scripting vulneravility
Date: Tue, 30 Sep 2003 14:26:15 +0900

 Sorry, I reposted this without checking that PRs bin/57322 and PR bin/57323
 are renumbered as ports/57322 and ports/57323.
 
 Therefore, PRs ports/57390 and ports/57391 are now just the duplicates.
 Please close them and solve ports/57322 and ports/57323.

From: IIJIMA Hiromitsu <delmonta@ht.sakura.ne.jp>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: ports/57390: CGI.pm in ports/japanese/perl5 has a cross-site 
 scripting vulneravility
Date: Tue, 30 Sep 2003 18:05:03 +0900

 1.
 PR ports/57322 was closed because it was 'superceded by ports/57390',
 so please solve this issue.
 
 2.
 This issue was fixed for ports/lang/perl5{,8}.
 Please see latest ports/lang/perl5{,8}/files/patch-CGI.pm and PR ports/57391.

From: IIJIMA Hiromitsu <delmonta@ht.sakura.ne.jp>
To: freebsd-gnats-submit@FreeBSD.org
Cc: shige@freebsd.org
Subject: Re: ports/57390: CGI.pm in ports/japanese/perl5 has a cross-site 
 scripting vulneravility
Date: Wed, 01 Oct 2003 23:47:26 +0900

 As tobez fixed in ports/lang/perl{5,5.8}, I made a patch to substitute
 the affected code by CGI.pm 3.00's one.
 
 --- CGI.pm.orig Wed Sep 17 09:07:05 2003
 +++ CGI.pm      Wed Oct  1 23:40:10 2003
 @@ -1413,8 +1413,13 @@
 
      $method = $method || 'POST';
      $enctype = $enctype || &URL_ENCODED;
 -    $action = $action ? qq/ACTION="$action"/ : $method eq 'GET' ?
 -       'ACTION="'.$self->script_name.'"' : '';
 +    unless (defined $action) {
 +       $action = $self->escapeHTML($self->url(-absolute=>1,-path=>1));
 +       if (length($ENV{QUERY_STRING})>0) {
 +           $action .= "?".$self->escapeHTML($ENV{QUERY_STRING},1);
 +       }
 +    }
 +    $action = qq(action="$action");
      my($other) = @other ? " @other" : '';
      $self->{'.parametersToAdd'}={};
      return qq/<FORM METHOD="$method" $action ENCTYPE="$enctype"$other>\n/;

From: IIJIMA Hiromitsu <delmonta@ht.sakura.ne.jp>
To: freebsd-gnats-submit@FreeBSD.org
Cc: shige@freebsd.org
Subject: Re: ports/57390: CGI.pm in ports/japanese/perl5 has a cross-site 
 scripting vulneravility
Date: Thu, 02 Oct 2003 01:02:17 +0900

 1.
 It seems perl 5.005_03 is not affected on all circumstances I have access to,
 but it might still be affected on other situations.
 
 When we give the URL like:
 	http://host/xss.cgi?">some%20text<!--%20
 
 the original code 
 >  $action = $action ? qq/ACTION="$action"/ : $method eq 'GET' ?
 >     'ACTION="'.$self->script_name.'"' : '';
 uses script_name() subroutine, which returns only '/xss.cgi', not the complete
 URL '/xss.cgi?">some%20text<!--%20', at least when used with Apache 1.3.28.
 
 (i.e. Perl 5.6+ and latest ports/www/p5-CGI.pm use complete URL for generating
  ACTION= part, but perl 5.005_03's original CGI.pm does not.)
 
 So the original code's output in this case is
    <FORM METHOD="POST" ACTION="/xss.cgi" (snip)>
 and therefore this exploit code does not work.
 
 But I don't know either
 	- how other web servers are implemented
 	- whether we have a way to give malformed script_name to CGI.pm
 	  with such browsers.
 
 Therefore, the only thing I can tell is that it is unsafe to assume that
 script_name()'s return value never contains '"', '>', or '<' characters.
 
 
 
 2.
 Applying the patch posted on 01 Oct 2003 23:47:26 +0900 will change the
 behavior of start_form() to use complete URL rather than script name only,
 so if you don't want to change it, please apply the following patch:
 
 --- CGI.pm.orig Wed Sep 17 09:07:05 2003
 +++ CGI.pm      Thu Oct  2 00:46:52 2003
 @@ -1414,7 +1414,7 @@
      $method = $method || 'POST';
      $enctype = $enctype || &URL_ENCODED;
      $action = $action ? qq/ACTION="$action"/ : $method eq 'GET' ?
 -       'ACTION="'.$self->script_name.'"' : '';
 +       'ACTION="'.$self->escapeHTML($self->script_name).'"' : '';
      my($other) = @other ? " @other" : '';
      $self->{'.parametersToAdd'}={};
      return qq/<FORM METHOD="$method" $action ENCTYPE="$enctype"$other>\n/;
State-Changed-From-To: open->closed 
State-Changed-By: shige 
State-Changed-When: Fri Oct 3 09:28:10 PDT 2003 
State-Changed-Why:  
Committed. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=57390 
>Unformatted:
