Home page logo
/

bugtraq logo Bugtraq mailing list archives

May SysAdmin man.sh security hole
From: aleph1 () NATIONWIDE NET (Aleph One)
Date: Sat, 16 May 1998 10:41:43 -0500


---------- Forwarded message ----------
Date: Fri, 15 May 1998 11:28:07 -0700
From: Robert Moniot <moniot () pascal dsm fordham edu>
Subject: May SysAdmin man.sh security hole
Newsgroups: comp.security.unix


The May 1998 issue of SysAdmin Magazine contains an article,
"Web-Enabled Man Pages", which includes source code for very nice cgi
script named man.sh to feed man pages to a web browser.  The hypertext
links to other man pages are an especially attractive feature.

Unfortunately, this script is vulnerable to attack.  Essentially,
anyone who can execute the cgi thru their web browser can run any
system commands with the user id of the web server and obtain the
output from them in a web page.

I have notified the author, and he has undertaken to replace the code
posted on the www.samag.com website with corrected code, but in the
meantime here is a patch that I believe closes the security hole.

48,49c48,50
<           sub(/\=/, "=\"", x)
<           sub(/$/, "\"", x)
 ---
          gsub(/[^-_=+%a-zA-Z0-9]/, ".", x)   # strip out any funny chars
          sub(/\=/, "='"'"'", x)              # quote rhs in apostrophes
          sub(/$/, "'"'"'", x)
51,52c52,53
<           gsub(/\+/, " ", x)
<           print x
 ---
          gsub(/\+/, " ", x)                  # change + to space
          if( x ~ /^(man|srch)=/ ) print x



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault