ports/57390: CGI.pm in ports/japanese/perl5 has a cross-site scripting vulneravility

IIJIMA Hiromitsu delmonta at ht.sakura.ne.jp
Tue Sep 30 05:20:18 UTC 2003 

>Number:         57390
>Category:       ports
>Synopsis:       CGI.pm in ports/japanese/perl5 has a cross-site scripting vulneravility
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Sep 29 22:20:13 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     IIJIMA Hiromitsu
>Release:        FreeBSD 4.7-RELEASE-p3 i386
>Organization:
DENNOU GEDOU GAKKAI, N. D. D. http://www.dennougedougakkai-ndd.org
>Environment:
System: FreeBSD sodans.usata.org 4.7-RELEASE-p3 FreeBSD 4.7-RELEASE-p3 #0: Wed Jan 22 14:50:19 JST 2003 root at www.my.domain:/usr/src/sys/compile/RENTALv6 i386

Userland is upgraded to -p16, while the kernel is still -p3.

>Description:
	** THIS IS A REPOST OF PR bin/57322,
		since I labelled wrong Category: line **

        A cross-site scripting vulnerability is reported in CGI.pm.
        All of the following are affected:
                - 4.x base system's perl 5.005_03
                - ports/japanese/perl5 (5.005_03 with Japanese patch)
                - ports/lang/perl5 (5.6.1)
                - ports/lang/perl5.8 (5.8.0)

        I sent separate PR for 4.x base system (PR bin/57321)
	and will send another for lang/perl5*.

>How-To-Repeat:
        See the exploit code at:
        http://marc.theaimsgroup.com/?l=bugtraq&m=105880349328877&w=2

>Fix:
        1. Currently, the only perfect solution is to replace CGI.pm with
           a newer one.

        2. It is safe to avoid using CGI.pm's start_form() until
	   PR ports/57302 is accepted.

        3. Just installing ports/www/p5-CGI.pm or latest version at CPAN does
           not solve the problem, since jperl finds the old CGI.pm in standard
           perl distribution, before searching site_perl folders where newer
           CGI.pm is installed.
           This problem will be solved if PR ports/57302 is accepted.

        4. If you do want to use start_form(), either
                - all local users are urged to make sure by themselves that
                  newer CGI.pm will be used, by using -I command-line option
                  or manipulating @INC array.
                - it may be possible to solve the problem by linking newer
		  CGI.pm to newer one by the following commands:
                        % su
                        # cd /usr/local/lib/perl5/5.00503
                        # ln -sf ../site_perl/5.005/CGI.pm .
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list