|
Bugtraq
mailing list archives
May SysAdmin man.sh security hole
From: aleph1 () NATIONWIDE NET (Aleph One)
Date: Sat, 16 May 1998 10:41:43 -0500
---------- Forwarded message ----------
Date: Fri, 15 May 1998 11:28:07 -0700
From: Robert Moniot <moniot () pascal dsm fordham edu>
Subject: May SysAdmin man.sh security hole
Newsgroups: comp.security.unix
The May 1998 issue of SysAdmin Magazine contains an article,
"Web-Enabled Man Pages", which includes source code for very nice cgi
script named man.sh to feed man pages to a web browser. The hypertext
links to other man pages are an especially attractive feature.
Unfortunately, this script is vulnerable to attack. Essentially,
anyone who can execute the cgi thru their web browser can run any
system commands with the user id of the web server and obtain the
output from them in a web page.
I have notified the author, and he has undertaken to replace the code
posted on the www.samag.com website with corrected code, but in the
meantime here is a patch that I believe closes the security hole.
48,49c48,50
< sub(/\=/, "=\"", x)
< sub(/$/, "\"", x)
---
gsub(/[^-_=+%a-zA-Z0-9]/, ".", x) # strip out any funny chars
sub(/\=/, "='"'"'", x) # quote rhs in apostrophes
sub(/$/, "'"'"'", x)
51,52c52,53
< gsub(/\+/, " ", x)
< print x
---
gsub(/\+/, " ", x) # change + to space
if( x ~ /^(man|srch)=/ ) print x
 By Date 
By Thread
Current thread:
Re: Bay Networks Security Hole Berislav Todorovic (May 15)
|
Intro
