Vendor: National Center for Biotechnology Information (NCBI)
Product: NCBI ToolBox
Affected versions: 2.0.7 through 2.2.26
The Information Engineering Branch (IEB) of the National Center for Biotechnology Information (NCBI) developed the NCBI ToolBox which includes programming libraries, originally written in a portable dialect of C. It has since been replaced with a newer version written in C++. The vulnerabilities discussed in this report have been found within the earlier C-based programming libraries, and are exposed by the legacy web interface to BLAST, one of the most widely used bioinformatics research tools. We discovered researchers within the University of Cambridge still using the legacy interface, and it's likely that researchers in other institutions are doing the same (popular bioinformatics tools often enjoy a much longer service life than other types of software).
The worst affected component is a CGI script named "nph-viewgif.cgi". The CGI program accepts a single filename argument. The file is opened and written to stdout. Insufficient filtering ensures that directory traversal is trivial. Additionally, a final call to remove() can cause the selected file to be deleted if the process has write as well as read access. The directory traversal vulnerability is very easy to exploit, e.g.:
$ curl https://www.example.com/blast/nph-viewgif.cgi?../../../../etc/passwd
Using simple "Google hacking" queries, we quickly found that dozens of vulnerable servers are exposed by universities and even government laboratories. Despite the software's age and the availability of superior (faster) tools, it still enjoys considerable popularity in the HE sector.
The software has recently been removed from NCBI's download site, but there may be many live instances still in the wild. We would obviously discourage use of the deprecated web application, particularly on exposed public interfaces.
See also CVE-2018-16718, CVE-2018-16717.