| home / about / webdesign / Miva / automation / contact |
http://mivo.truxoft.com |
|---|
| [ invert colors ] |
| M I V O ! |
|---|
| ABOUT |
| WHAT'S NEW |
| SECURITY |
| RESOURCES |
| MERCHANT |
| HOSTING |
| disclaimer |
MIVA® SECURITY: CGI-BIN-Form URL Vulnerability
by Ivo Truxa, 02/09/2000 (updated 03/11/2000)
What is it? / Since when? / What says Miva? / Fixes
On 9th March 2000 Miva Corporation published two Tech Notes that explain fixing of a serious security flaw in default installations of Unix version of Miva Empresa:
Miva Tech Note #1
Miva Tech Note #2
What is it all about?
Both Tech Notes explain the problem and its fixing in details. Unfortunately they do not serve the security flaw in clear words, so inexperienced reader could overlook its importance.
Default Miva Empresa configuration (Unix only, until Feb 2000) enables an intruder to access any file in the web space of a virtual server regardless of its Unix file permissions and regardless of Apache password security settings. All files would be accessed with owner's access permissions bypassing any password protection. Visitors can access any files in restricted areas. In a very simple way they can view '.htaccess' and other configuration files, sources of CGI scripts and data files. In connection with other known security holes or through revealed CGI scripts it could be used to exploit the system even deeper.
Since when is it known?
Strangely, it looks that the problem was known at least since summer 1998, when Mark Walker, Joe Tan and others mentioned it on the Miva user list:
- http://htmlscript.duc.auburn.edu/its/ducapps/hts-users/199806/
- http://htmlscript.duc.auburn.edu/its/ducapps/hts-users/199806/0544.html
- http://htmlscript.duc.auburn.edu/its/ducapps/hts-users/199806/0584.html
Because of its simplicity, it seems to be probable that the exploit was known and used already before. Some people probably did not realize all possible consequences of the security flaw. The resting users probably had the luck to have full access to their configuration and could fix the glitch and did not care about the rest. I want to believe that nobody used the hole to exploit competitors' sites, but that possibility was fully open.
I remarked the problem when I made a security check-up of my own site on 9th February 2000. After asking CERT for an advice I contacted Joe Austin, CEO of Miva Corporation and explained the problem. I was (correctly) told that it is just a configuration problem, not a software bug. However, after demonstrating that the Miva's own website is also incorrectly configured, exactly as most of other Miva enabled servers, Joe reacted quickly and begun to contact hosts on few next days.
What says Miva Co.?
Unfortunately, Miva Co. still did not manage to contact all hosts and Miva owners on 3rd March 2000 (a month later), when Jess Binam published part of the Miva Tech Note on the List. As reaction, I asked Miva to publish their statement and to support the request I published an article about another Miva related security issue on this site.
Very mild reaction of Miva users was surprising. Only thanks to Jonathan Wray, who stimulated the discussion, we finally got a statement from Miva Co (03/09/2000):
Johnathon and all,
We had planned, and still plan, on sending out a mass mailing to all registered license holders of Miva Empresa letting them know about the configuration issues.
We had a schedule of announcements. We were going to communicate via phone and email to Premier Hosting Partners then Standard Hosting partners. Then a mass mailing to all Miva Empresa license holders. Then a notification to the users list, publication on our site and notice to one or more online security sites.
Mass mailings need to be carefully undertaken so they take some time to put out. While we were still working on the mass mailing preparations, and in fact still communicating with a few partners, the issue arose on this list and we decided to make the tech notes public to this list ahead of schedule. We now are continuing on with the previous schedule of releasing information to license holders.
-Jeff Huber
Support Manager
Miva Corporation
When it will be fixed?
It is not known why Miva Co. did not contact immediately all Miva owners and there is still no schedule for the announced mass mailings. A single parameter entry in the Miva configuration file fixes the problem. Miva Co. does not need to send any updates nor patches and therefore I do not understand why it takes so long time. Because there are more security problems known and others are pending, we all hope that Miva Co. changes their security policy very soon.
How do I protect myself?
If you have the access to your Miva configuration file:
Use the 'redirectonly' parameter to disable the CGI-BIN-form URLs totally or add the 'validextensions' parameter to allow only defined file types to by used in a CGI-BIN-form URL. Find more details in the Miva Tech Notes.
If you do NOT have any access to your Miva configuration file:
Rename the miva binary and create your secure configuration file as described in art0006
Take care!
Miva and some other terms used on this page are registerd trademarks of the Miva Corporation
copyright truXoft © 1997-2008