|
Bugtraq
mailing list archives
Re: Jason Maloney's CGI Guestbook Remote Command Execution Vulnerability.
From: Nick Cleaton <nick () cleaton net>
Date: Wed, 3 Dec 2003 14:41:18 +0000
On Mon, Dec 01, 2003 at 06:26:32PM +0000, Shaun Colley wrote:
[SNIP]
Here is the error-prone code:
###################### CUT HERE ######################
############################################################
#Don't touch, these are necessary to run the script!
$mailprog = '/usr/lib/sendmail';
$entry = 1;
$allow = 1;
$date_command = "/usr/bin/date";
############################################################
$date = `$date_command +"%B %d, %Y"`; chop($date);
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
@pairs = split(/&/, $buffer);
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
hex($1))/eg;
$value =~ s/<!--(.|\n)*-->//g;
if ($allow != 1) {
$value =~ s/<([^>]|\n)*>//g;
}
$FORM{$name} = $value;
}
###################### CUT HERE ######################
The above code trustingly reads in data from the
user's HTTP POST request (their submission of a
guestbook post), assigning all values to variables
specified in the POST request. Due to bad user input
checking, the user could easily change the value of a
variable holding the path of a program to be opened as
a pipe, such as $mailprog. $mailprog holds the path
of the sendmail application, and could be changed to
an arbitrary program depending upon the attacker's
desire.
No, the user could easily change $FORM{'mailprog'}, but there's
nothing in the code above that could change $mailprog itself.
This is a false alarm.
--
Nick Cleaton
nick () cleaton net
 By Date 
By Thread
Current thread:
|
Intro
