NeoWebScript to be released as Open Source

0 views
Skip to first unread message

Eugene Lee

unread,
Jun 14, 1999, 3:00:00 AM6/14/99
to
Houston, Texas, June 11, 1999

http://www.neowebscript.org/

NeoSoft Inc. today announced the release of its World Wide Web server software,
NeoWebScript, under an open source license. NeoWebScript is a computer
program that enables servers to distribute dynamic information on the
World Wide Web. The software, an add-in extension to the Apache webserver,
uses the Tool Command Language (TCL) to allow users to simply and powerfully
add dynamic content to their web pages. This software gives both
programmers and non-programmers the ability to add databases, on-the-fly
dynamically generated images, and complicated form processing to their
web content. The NeoWebScript code is included directly into webpages,
ensuring that adding these features is easily done within 3rd party
web page editors.

The new open source license announced today will give developers all over
the world the ability to update and extend NeoWebScript. Barbara Pearce,
Manager of Research and Development at NeoSoft, Inc., said that,
"After making NeoWebScript source code freely available for the last
several years, we want to complete the process by making it officially
open source." Open source software has come into national media attention
recently with the wildly sucessful Apache and Linux software packages.
Open source software is not tightly controlled by a company, and many
different programmers can use the Internet to collaborate on updates
and bug fixes. Barbara continued by saying, "We are extremely excited
about the possibilities for development that this step can provide to
an application we have worked with closely, which we feel is an exciting
and creative tool that we want to offer to the whole Internet community."

NeoSoft, Inc. is an Internet service provider based in Houston, Texas. It
provides Internet access to Houston and New Orleans, in addition to developing
software applications. NeoSoft, Inc. was formed in 1992.


--
Eugene Lee
eug...@neowebscript.org

Dave Warner

unread,
Jun 16, 1999, 3:00:00 AM6/16/99
to
Great, thanks NeoSoft. Now if it were only easy to add to a pre-existing
Apache configuration, using whatever tcl/tclx 8+ I happen to have lying
around -- mod-neowebscript, anyone?

Dave

eug...@inferno.ops.neosoft.com wrote:
> Houston, Texas, June 11, 1999
>
> http://www.neowebscript.org/
>
> NeoSoft Inc. today announced the release of its World Wide Web server software,
> NeoWebScript, under an open source license. NeoWebScript is a computer

[snip ...]

Nathan Grass

unread,
Jun 17, 1999, 3:00:00 AM6/17/99
to

> NeoSoft Inc. today announced the release of its World Wide Web server
> software, NeoWebScript

I have found a large security problem with their script, I have sent an
email to Eugene to contact me and we'll work on this pesky problem that
could render users of this product vulnerable to malicious attacks from
Internet users.

The flaw is much like many that simply allow the execution of arbitrary
programs on the effected machine with the access rights of the owner of
the program/script.

-- -- -- -- -- -- -- -- -- --
-- Nathan Grass http://www.zaz.net/
-- z...@zaz.net ICQ: 35510843
-- -- -- -- -- -- -- -- -- --


Sent via Deja.com http://www.deja.com/
Share what you know. Learn what you don't.

Herb Smith

unread,
Jun 17, 1999, 3:00:00 AM6/17/99
to Nathan Grass
Nathan Grass wrote:
>
> > NeoSoft Inc. today announced the release of its World Wide Web server
> > software, NeoWebScript
>
> I have found a large security problem with their script, I have sent an
> email to Eugene to contact me and we'll work on this pesky problem that
> could render users of this product vulnerable to malicious attacks from
> Internet users.
>
> The flaw is much like many that simply allow the execution of arbitrary
> programs on the effected machine with the access rights of the owner of
> the program/script.

Upon examination, it appears that the security problem was with some
internal code that was being used at our site, and not with the basic
NeoWebScript distribution. Specifically, I wrote a procedure that I was
using to log referer information on some of our pages. In
that code, I was setting a variable at the top level of the
stack frame, using the uplevel command, rather than declaring
the variable global. Specifically, the error was in line 34,
which read

uplevel #0 "set referer $webenv(HTTP_REFERER)"

Due to how uplevel works, the value in webenv(HTTP_REFERER) was
being executed, if it contained valid Tcl code. Therefore, anbody
accessing the files that loaded the procedures could be used to execute
arbitrary programs, with the script owners access rights.

By declaring referer to be a global variable, and changing the line
to read

set referer $webenv(HTTP_REFERER)

the security problem has been fixed.

We have searched all of the NeoWebScript releases, and the procedures
were not included in any of them.

In summary, the security hole problem was limited to the NeoSoft
website, and only to our corporate pages that included the procedures.

Kudos to Nathan Grass for finding the problem, bringing it to our
attention, and setting up an exploit page so we could see exactly
what was occuring. He made it very easy for us to track the bug
down, which made it easy for us to fix. Thanks, Nathan!

Herb
--
Herb Smith - WebTeam Leader NeoSoft, Inc.
hsm...@neosoft.com 713-968-5800
http://www.neosoft.com/~hsmith http://www.neosoft.com

If you think it's expensive to hire a professional to do the job,
wait until you hire an amateur.
-- Red Adair

Heribert Dahms

unread,
Jun 17, 1999, 3:00:00 AM6/17/99
to
In <37693E78...@neosoft.com> hsm...@neosoft.com (Herb Smith) writes:

: uplevel #0 "set referer $webenv(HTTP_REFERER)"


:
: Due to how uplevel works, the value in webenv(HTTP_REFERER) was
: being executed, if it contained valid Tcl code. Therefore, anbody
: accessing the files that loaded the procedures could be used to execute
: arbitrary programs, with the script owners access rights.

Is webenv also global? Then you should have used:


uplevel #0 {set referer $webenv(HTTP_REFERER)}

else


uplevel #0 "set referer \$webenv(HTTP_REFERER)"

: By declaring referer to be a global variable, and changing the line


: to read
:
: set referer $webenv(HTTP_REFERER)
:
: the security problem has been fixed.

or in recent Tcl versions instead of declaring global:
set ::referer $webenv(HTTP_REFERER)


Bye, Heribert (da...@ifk20.mach.uni-karlsruhe.de)

Eugene Lee

unread,
Jun 17, 1999, 3:00:00 AM6/17/99
to
Dave Warner <da...@lucent.com> wrote:
>Great, thanks NeoSoft. Now if it were only easy to add to a pre-existing
>Apache configuration, using whatever tcl/tclx 8+ I happen to have lying
>around -- mod-neowebscript, anyone?

It took a few steps towards that direction with the 3.0 release that
was built on Tcl 8.0 (we have not yet tested it with the Tcl 8.1.x
releases). The modules can be dropped into an existing Apache 1.3.x
server without affecting other existing modules (except perhaps with
mod_include, depending on server-parsed filename extension and the
assigned handler). There is also a directory of initialization
files that need to be added, but that's trivial to do (just untar it
within a special directory under ServerRoot).

The trickier part involves the TclX extension and our NeoTcl package
(which already includes TclX). Some of the functionality depends on
these two being available, and they will not work without them.

(John O, please please include 'lassign' into the Tcl core itself. :)

--
Eugene Lee
eug...@neowebscript.org

Bryan Oakley

unread,
Jun 17, 1999, 3:00:00 AM6/17/99
to
Herb Smith wrote:
> Upon examination, it appears that the security problem was with some
> internal code that was being used at our site, and not with the basic
> NeoWebScript distribution. Specifically, I wrote a procedure that I was
> using to log referer information on some of our pages. In
> that code, I was setting a variable at the top level of the
> stack frame, using the uplevel command, rather than declaring
> the variable global. Specifically, the error was in line 34,
> which read
>
> uplevel #0 "set referer $webenv(HTTP_REFERER)"

Yep. Gotta be careful with uplevel and eval when you don't fully control
the data. Personally, I'd code that as:

uplevel \#0 "set referer {$webenv(HTTP_REFERRER)}"

or

uplevel \#0 [list set referer $webenv(HTTP_REFERRER)]

--
Bryan Oakley mailto:oak...@channelpoint.com
ChannelPoint, Inc. http://purl.oclc.org/net/oakley

Education is full of oversimplified lies which can be
refined into the truth later.

Donal K. Fellows

unread,
Jun 22, 1999, 3:00:00 AM6/22/99
to
In article <3769760E...@channelpoint.com>,
Bryan Oakley <oak...@channelpoint.com> wrote:
> Herb Smith wrote:
[ there was a security fault in ]

>> uplevel #0 "set referer $webenv(HTTP_REFERER)"
>
> Yep. Gotta be careful with uplevel and eval when you don't fully control
> the data. Personally, I'd code that as:
> uplevel \#0 "set referer {$webenv(HTTP_REFERRER)}"

And *Boom* Bryan walks straight into a common pit-trap, one that
catches many who ought to know better. Consider the case where
webenv(HTTP_REFERER) contains the nasty string:

};puts HA_HA_SECURITY_HOLE;exit;{

Merely putting braces round a *random* (and especially a malicious)
string will never make that string safe to pass to an [eval]-like
command...

> or
> uplevel \#0 [list set referer $webenv(HTTP_REFERRER)]

That is safe under all conditions. This is because [list] examines
its data, putting all quoting required to make a string safe.

Donal.
--
Donal K. Fellows http://www.cs.man.ac.uk/~fellowsd/ fell...@cs.man.ac.uk
-- The small advantage of not having California being part of my country would
be overweighed by having California as a heavily-armed rabid weasel on our
borders. -- David Parsons <o r c @ p e l l . p o r t l a n d . o r . u s>

Reply all
Reply to author
Forward
0 new messages