Gossamer Forum
Home : Products : DBMan : Discussions :

Security Notice: Offical Fix -- Important!

Quote Reply
Security Notice: Offical Fix -- Important!
Hi!

My extreme apologies for the lateness of this fix, and my thanks to Eric for bringing it to my attention (unfortunately it came while I was away and the person who received it did not give it the proper attention it deserved).

I will update DBMan and Links 2.0 in the next 10 minutes or so fixing that issue, and a minor one brought to my attention from Blackwatch Labs -- passing in an invalid config file name can give viewers insight into your system setup as it shows the environment variables. By default you won't get a full error message unless db_debug is turned on.

For those of you who have modified it a lot, it is a quick fix, in sub query replace:

Code:
$regexp_func[$field] = eval "sub { m/$tmpreg/o; }";
with:

Code:
$regexp_func[$field] = eval 'sub { m/$tmpreg/o; }';
Again, my apologies about this! Once we finish our new SQL library, we plan to release a new updated version of DBMan as everyone here at Gossamer (myself included) has learned a lot, and the new code will show that. =)

Neither DBMan SQL, Links SQL or Gossamer Mail are affected by this (FileMan is, but it's only in the admin -- we will update it as well). If you have any questions about this, please don't hesitate to ask!

Cheers,

Alex

--
Gossamer Threads Inc.
Quote Reply
Re: Security Notice: Offical Fix -- Important! In reply to
Several people have asked about the environment fix. Replace cgierr with:

Code:
sub cgierr {
# --------------------------------------------------------
# Displays any errors and prints out FORM and ENVIRONMENT
# information. Useful for debugging.

if (!$html_headers_printed) {
print "Content-type: text/html\n\n";
$html_headers_printed = 1;
}
print "DBMan encountered an internal error. ";
if ($db_debug) {
print "<PRE>\n\nCGI ERROR\n==========================================\n";
$_[0] and print "Error Message : $_[0]\n";
$0 and print "Script Location : $0\n";
$] and print "Perl Version : $]\n";
$db_setup and print "Setup File : $db_setup.cfg\n";
$db_userid and print "User ID : $db_userid\n";
$db_uid and print "Session ID : $db_uid\n";

print "\nForm Variables\n-------------------------------------------\n";
foreach $key (sort keys %in) {
my $space = " " x (20 - length($key));
print "$key$space: $in{$key}\n";
}
print "\nEnvironment Variables\n-------------------------------------------\n";
foreach $env (sort keys %ENV) {
my $space = " " x (20 - length($env));
print "$env$space: $ENV{$env}\n";
}
print "\n</PRE>";
}
else {
print "Please enable debugging to view.";
}
exit -1;
}
This will only show the env info if debugging is enabled. Otherwise people just see an internal error message.

Cheers,

Alex

--
Gossamer Threads Inc.
Quote Reply
Re: Security Notice: Offical Fix -- Important! In reply to
Hi Alex,

How do you fix this in the sql version? This problem is also presented in dbman-sql, when for example, you call a nonexisting database and database.cfg

Quote Reply
Re: Security Notice: Offical Fix In reply to
Hello,

Could someone please clarify for me if I understand correctly the actions I must take to correct the security issue at hand? I am perl challenged, so I would appreciate any and all advice.


First, per instructions, I will replace:

$regexp_func[$field] = eval "sub { m/$tmpreg/o; }";

with:

$regexp_func[$field] = eval 'sub { m/$tmpreg/o; }';

Additionally, in my db.cgi file the line actually reads:

$regexp_func[$field] = eval 'sub { m/$tmpreg/o }';

Should I include the ; as shown in the fix

...'sub { m/$tmpreg/o; }';

, or is the code in the db.cgi correct? I saw a post that someone else had also found this discrepancy, but they attributed it to uploading a mod. I did not see a reply to this persons post as to what is correct.

Secondly, I saw a post from Alex relating to the sub cgierr code modification. Am I right in thinking that I must also modify this block of code in db.cgi?

Best Regards,

Kim Lanners

Quote Reply
Re: Security Notice: Offical Fix In reply to
This is one case where the ; is optional. It can be there or not. You decide. Smile

It seems that you have already changed the quotation marks, so you're all set.

Yes, you should replace the subroutine as Alex has it listed above.

JPD
http://www.jpdeni.com/dbman/
Quote Reply
Re: Security Notice: Offical Fix In reply to
Thankyou for your reply!

What I did earlier was to just replace the single line as per Alex's post. I now will go in and modified the sub_routine. Thanks!

I am now in need of further assistance of which I have created another post addressing the problem. I have been working on modifying the .cfg and html.pl file specific to my client's data. All seemed to be going along just fine, but now when I try to access the script server/cgi-bin/db.cgi I get a 404 error. This has me baffled.

I am slowly back tracking, but I do believe I've looked at this so long that even if the error jumped out from the screen and slapped me in the face, I would not recognize it.

My question is: when accessing the script by....

server/cgi-bin/db.cgi

just what file is being pulled to render? Is it part of the html.pl file?

The fact that the 404 error is indicative of a missing or otherwise non-functioning page I have combed over the html.pl file to see where I may have errored.

If I have managed to convey my problem in plain english, rather than gibberish, can you possibly shed some light on this for me please? I know that you are very busy and I can appreciate this. I am so very stuck, and would appreciate any guidance and/or direction you could provide.

Best Regards,

Kim Lanners



Software Made Easy
http://sme-net.com