Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: PHP script: Penguin Traceroute, Remote Command Execution
From: bugtraq () planet nl
Date: Fri, 22 Mar 2002 23:53:41 +0100

I informed the admin of linux-directory about this months ago, but he doesn't seem to 
care a lot. The nslookup script on his site is also vulnerable to file reading and 
command executing vulnerabilities.
Anyone noticed that the sample traceroute script doesn't work at all?

Niels Teusink

On 21 Mar 2002 at 14:16, paul jenkins wrote:

/* ------------------------------ *
 * --------Security Freaks------- *
 * ----www.securityfreaks.com---- *
 * ------------------------------ */


Info
====
Software: Penguin Traceroute
Website: http://www.linux-directory.com/scripts/traceroute.shtml
Versions: 1.0
Platforms: Linux
Vulnerability Type: Remote Command Execution


Details
=======
Penguin Traceroute is a perl script that does traceroute. This is another
script where the author forgets to parse the input for any ; | characters 
and anyone user is able to execute anything he wants with the same 
permitions as apache. Example: "127.0.0.1;cat /www/secure/.htpasswd" 
and there goes the passwords, or if the user apache has write access 
"127.0.0.1;echo I iz 1337>index.html".


Fix
===
Open up the perl script in your favorite text editor, find a line that has
"$host = $q->param('host');" Its usually the 13th line down then just add 
this line "$host =~ s/[;<>\*\|'&\$!?#\(\)\[\]\{\}:'"\\]//g;" under it and 
that should parse out any unwanted characters.







  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault