|From: "FDSE Update Notification" <email@example.com>
From: "Update Notification" <firstname.lastname@example.org>
Subject: Genesis Web Authoring System security update
A person told me about a security hole in Genesis today. The hole can be patched by a single settings change, or by downloading the latest version.
A weakness in the Genesis algorithm for delegating CGI privileges may
allow a Genesis user without the "Allow CGI" privilege to author CGI
Any server running Genesis in which Genesis user accounts have been
created without the "Allow CGI" privilege.
All previous versions of Genesis have this weakness, even the 2.0
release from 1997.
This weakness can only be exploited by a person who already has a
Genesis account. Outside visitors cannot exploit this.
The danger would mostly come from people who have been given some
authoring rights, but who cannot be trusted with full access. A web site
that gives free non-CGI accounts to the public would be threatened by
When a file is requested from the web server, the web server can either
return the file directly (as with .jpg or .html files), or pass the file
through an interpreter (as with .pl or .php files). The web server
decides whether to use an interpreter based on the file extension. Files
that are passed through an interpreter can contain arbitrary commands,
and so, as a precaution, Genesis allows a user to edit these interpreted
files only when that user has the "Allow CGI" privilege.
The problem is that the Genesis list of interpreted file extensions may
be less comprehensive than the web server's list. In particular, the php3
extension is not listed in the Genesis "CGI Types" System Setting, but on
many Apache web servers, any file with the php3 extension will be
processed by the php interpreter. That interpreter provides read/write
access to much of the file system, beyond what Genesis may have delegated
to the user.
In reflecting on this problem, it seems that it is not possible for
Genesis to know about all possible file extensions that may be
interpreted by various web server configurations. Thus, from now on, the
approach will be for administrators to make an explicit list of known
non-CGI extensions, and a list of known CGI extensions. Users will be
able to modify *only* files with those extensions. The previous behavior
was to allow non-CGI users the right to edit any file *except* those
explicitly listed as CGI types.
Patching this hole is a three-step process.
1. Log in to Genesis, go to "Main Page" and then "System Settings". Find
the "Allow Only Known Types" setting and set it to 1. Or, upgrade to
Genesis version 2.1.0.0014 (in which this setting is internally hardcoded
2. Review the "Known Types" System Setting and confirm that none of the file
extensions listed there are being interpreted. The default Known Types
list contains only extensions that are *usually* not interpreted; there
is no way for Genesis to actually guarantee that they are safe. Some web
servers might process .html files through the SSI parser, for example, or
allow .js files to execute on the server side.
3. Review your user's existing files. If the user doesn't have the "Allow
CGI" privilege, but does have suspicious files like .php3, then you
should rename those files to safe extensions. The Genesis change in step
1 will prevent further authoring by that user, but won't remove the files
themselves; you have to do that. If the user has files with safe but
non-standard file extensions, then you will have to add those extensions
to the "Known Types" System Setting.
If you would like more information, please contact me at email@example.com or
Download and information available at:
To stop receiving email, visit: