Global port vulnerable to remote compromise through CGI script (Patch available)
8 Nov. 2000
Summary
Global is a source-code tagging system for indexing and searching large bodies of source code. The global port, versions 3.5 through to 3.55, contains a vulnerability in the CGI script generated by the htags utility which allows a remote attacker to execute code on the local system as the user running the script (typically user 'nobody').
Vulnerable systems:
Global CGI versions 3.5 through to 3.55
Immune systems:
Global CGI version 4.0.1
Corrected:
2000-10-09
There is no vulnerability in the default installation of the port, but if an administrator uses the 'htags -f' command to generate a CGI script enabling the browsing of source code, then the system is vulnerable to attack caused by incorrect validation of input.
An older version of global was included in previous releases of FreeBSD; this is not vulnerable to the problem described here.
Impact:
If the 'htags -f' command is used to generate a CGI script which is then installed under a web server, then remote users may execute arbitrary commands on the local system as the user which runs the CGI script.
If you have not chosen to install the global port/package, or you have not used the 'htags -f' command to produce a CGI script, then your system is not vulnerable to this problem.
Workaround:
Uninstall the global port/package, if you have installed it, or remove the 'global.cgi' file installed on the website.
Solution:
One of the following:
1) Upgrade your entire ports collection and rebuild the global port.
2) Uninstall the old package and install a new package dated after the correction date, obtained from:
4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from:
