Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: PHP script: Penguin Traceroute, Remote Command Execution
From: "Philip Turner" <p.turner () newman ac uk>
Date: Fri, 22 Mar 2002 08:52:17 -0000

On 21 Mar 2002 at 14:16, paul jenkins wrote:

/* ------------------------------ *
 * --------Security Freaks------- *
 * ----www.securityfreaks.com---- *
 * ------------------------------ */


Info
====
Software: Penguin Traceroute
Website: http://www.linux-directory.com/scripts/traceroute.shtml
Versions: 1.0
Platforms: Linux
Vulnerability Type: Remote Command Execution


Details
=======
Penguin Traceroute is a perl script that does traceroute. This is another
script where the author forgets to parse the input for any ; | characters 
and anyone user is able to execute anything he wants with the same 
permitions as apache. Example: "127.0.0.1;cat /www/secure/.htpasswd" 
and there goes the passwords, or if the user apache has write access 
"127.0.0.1;echo I iz 1337>index.html".


Fix
===
Open up the perl script in your favorite text editor, find a line that has
"$host = $q->param('host');" Its usually the 13th line down then just add 
this line "$host =~ s/[;<>\*\|'&\$!?#\(\)\[\]\{\}:'"\\]//g;" under it and 

Shouldn't this be "$host =~ s/[^0-9A-Za-z.-]//g;" on the basis 
that accepting known good is safer than rejecting known bad?

that should parse out any unwanted characters.






-- 
Phil Turner


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]