J-Security Center

Title: Haserl Local Environment Variable Manipulation Vulnerability

Severity: MODERATE

Description:

Haserl is an application designed to allow for the execution of CGI scripts that are embedded in HTML documents. It is meant to facilitate dynamic Web page generation on computers and devices that have a limited memory and storage capacity.

Haserl is reportedly affected by a local environment variable manipulation vulnerability. This issue is due to a design error that allows local users to manipulate environment variables.

The problem presents itself when a local attacker crafts an HTML document with embedded CGI script code. Apparently Haserl stores all input form variables declared and used in the script in shell environment variables. This would allow an attacker to define a variable that corresponds to a current environment variable, causing it to be overwritten with attacker-supplied data.

An attacker may leverage this issue to arbitrarily read, corrupt or update environment variables with the privileges of the affected web server.

It should be noted that this issue may facilitate further integrity loss to an affected computer due to the potential ability to change environment variables. Depending on the implementation of the attacker-specified script it may be possible to execute arbitrary commands on the underlying computer.

Affected Products:

  • Haserl Haserl 0.4.0
  • Haserl Haserl 0.4.1
  • Haserl Haserl 0.4.2
  • Haserl Haserl 0.5.0
  • Haserl Haserl 0.5.1

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.