COMMAND
	multiple CGIscript.net scripts remote code execution
SYSTEMS AFFECTED
	 csGuestbook
	 csLiveSupport
	 csNewsPro
	 csChatRBox
PROBLEM
	Steve Gustin  found  following  vulnerabilities  on  some  CGIscript.net
	scripts :
	CGIScript.net distributes a number  of  free  and  commercial  perl  cgi
	scripts developed by Mike Barone and Andy Angrick. Last month  a  Remote
	Code Execution  vulnerability  was  found  in  their  csSearch  product,
	further research and information provided by  the  Vendor  has  revealed
	that four (4) additional scripts have the same vulnerability.
	These scripts are:
	 csGuestBook   - guestbook program
	 csLiveSupport - web based support/chat program
	 csNewsPro     - website news updater/editor
	 csChatRBox    - web based chat script
	These scripts stores their configuration data as perl  code  in  a  file
	called "setup.cgi" which is eval()uated by the script to  load  it  back
	into memory at runtime. Due to an Access Validation Error, any user  can
	cause configuration data to be  written  to  "setup.cgi"  and  therefore
	execute arbitrary perl code on the server.
	 EXPLOIT 
	 =======
	Configuration data is (typically) saved with the following URL.
	
	scriptname.cgi?command=savesetup&setup=PERL_CODE_HERE
	
	Note that any perl code would need to be URL encoded. A  malicious  user
	could essentially execute any arbitrary perl  code  or  shell  commands.
	Only csChatRBox was  tested  for  this  vulnerability,  however,  Vendor
	stated the other scripts were also affected.
	SysAdmins wanting to scan for affected  scripts  should  check  for  the
	following     filenames:     "csGuestbook.cgi",     "csLiveSupport.cgi",
	"csNews.cgi", "csChatRBox.cgi".
	 IMPACT
	 ======
	Because of the high number of users who are using CGIscript.net  scripts
	(over 17,000 csSearch users alone according  to  the  website)  and  the
	fact that search engines can easily be used to identify sites  with  the
	unique "csScriptName.cgi" script names, the risk posed  by  these  flaws
	is very high indeed.
	Additionally, because the  Vendor  does  not  post  version  numbers  or
	changlogs (that we could find) on their website or with their  software,
	and because the patched version  of  csChatRBox  has  the  same  version
	number of the vulnerable version (1.0), it may make  it  more  difficult
	for users to determine whether or not  their  script  is  vulnerable  or
	not.
SOLUTION
	Vendor has released updated versions of  all  the  affected  scripts  to
	patch the flaws.