vuln.sg  

vuln.sg Vulnerability Research Advisory

CGI::Session "File" Driver Session Cookie Directory Traversal

by Tan Chew Keong
Release Date: 2008-07-16

   [en] [jp]

Summary

A vulnerability has been found within the "File" driver in CGI::Session. When exploited, this vulnerability potentially allows an attacker to bypass session control restrictions. This vulnerability affects web applications that use CGI::Session's "File" driver for session management on a Windows-based system.


Tested Versions


Details

A vulnerability has been found within the "File" driver in CGI::Session. When exploited, this vulnerability potentially allows an attacker to bypass session control restrictions. This vulnerability affects web applications that use CGI::Session's "File" driver for session management on a Windows-based system. Linux-based systems are not affected, other platforms have not been tested.

CGI::Session does not perform sufficient sanitization of the CGISESSID cookie value before using it in the "File" driver to construct the filename of the session data file. By inserting directory traversal sequences into the cookie value, it is possible to cause the "File" driver to read session data from arbitrary files located outside of the configured session data directory.

NOTE: This directory traversal issue is confirmed exploitable if CGI::Session is used on a Windows-based system. Linux-based systems are not affected, other platforms have not been tested.

More specifically, the vulnerability is confirmed to be exploitable when ALL of the following conditions are met.

  • The web application uses the "File" driver in CGI::Session for session management.
  • The web application is deployed or can be deployed on a Windows-based system.
  • The web application allows users to upload/create/update files in known or predictable locations on the web server.

Please see this advisory for an application that is affected by this vulnerability.


Patch / Workaround

Update to version 4.34 or later. Changelog is here.


Disclosure Timeline

2008-07-10 - Vulnerability Discovered in FreeStyleWiki.
2008-07-11 - Vulnerability Details Sent to Developer of FreeStyleWiki.
2008-07-11 - Vulnerability Details Sent to Developers of CGI::Session.
2008-07-12 - Received Reply that issue will be fixed.
2008-07-13 - Received Reply that patches have been checked into SVN repository.
2008-07-13 - Received Reply that fixed version 4.34 has been released.
2008-07-16 - Public Release.


Contact
For further enquries, comments, suggestions or bug reports, simply email them to