Lasso CGI security hole (fwd)

Christian Horchert (t25@VAKUUM.NET)
Tue, 19 Aug 1997 09:20:40 +0200

---------- Forwarded message ----------
Date: Sun, 17 Aug 1997 22:49:12 -0500
From: Chuck Shotton <cshotton@biap.com>
Reply-To: WebSTAR-Dev <webstar-dev@starnine.com>
To: webstar-talk@starnine.com, webstar-dev@starnine.com
Subject: SECURITY ALERT! Lasso CGI security hole

It has recently been discovered that the Lasso CGI product from Blue World
Communications, Inc. has a security flaw that can make it possible for any
file on any Macintosh web server supporting CGIs to be accessed regardless
of security restrictions imposed by the web server. StarNine Technologies
is advising users of its WebSTAR servers to remove the current Lasso CGI
from active use and replace it with an updated version of Lasso that can be
obtained from Blue World.

Blue World is aware of the problem and has already created patches
correcting this behavior. These updates are available from their web site
at <http://www.blueworld.com/>. It should be noted that this problem with
Lasso will affect any web server application that has the capability of
running this specific CGI, regardless of server vendor. Users of other web
server applications should take action as well.

While the security flaw allows only read access to data stored on the
server, this data may include secure information, access control
information, or other data that may grant a higher level of access to the
server via another mechanism. Read access is unrestricted and references to
the data fork of any file on any mounted volume can be gained through this
flaw.

It is important to note that this is a problem with one specific CGI
application and is NOT a problem related to the Mac O/S or any Mac web
server product. This type of problem is inherently possible in the CGI
process, can exist on any hardware platform, any O/S, and any server since
it is up to CGI authors to ensure the security of their responses to WWW
clients. This is a very isolated problem and Blue World has already
corrected it in the versions of Lasso now available on-line.

In addition, if you are using other CGIs or plug-ins that return data from
your web server's file system, you should confirm with the appropriate
vendor(s) that no potential problem exists and that the plug-in or CGI
honors all the security restrictions of the parent web server. StarNine has
already performed a security audit to confirm that no such security holes
exist in the plug-in and CGI products it authors and ships with its WebSTAR
family of servers.

--_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
Chuck Shotton StarNine Technologies, Inc.
chuck@starnine.com http://www.starnine.com/
cshotton@biap.com http://www.biap.com/
"Shut up and eat your vegetables!!!"

--
C.