There are probably multiple issues with this script. I don't really have
the time to do a security audit for you but in a 5 minute glance
A) -t is supposed to be -T if you are enabling taint mode
B) It appears as if there is very little checking done on the path that is
issued. Things like
escaped periods would allow backtracking
possible null byte insertion in the regex would obviate the file extension
C) File open is done without explicitly putting in a "<" prefix to indicate
read-only access. So if the path starts or ends with | then an arbitrary
command could be executed.
Some of these might not work in practice, but I don't see an explicit area
of the code which basically prevents these things from occuring, so I can
only suspect it is possible with enough diligence.
I would suggest that if your site is using mod_perl, don't use some
home-grown template system. There are way too many out there that are
reallly well written and well-tested and examined for security. State your
requirements and ask the mod-perl list for some advice.
There are really powerful ones like TemplateToolkit, Mason, EmbPerl, but
then there are simpler ones also. And the #1 thing is that if you see
someone trying to roll their own template system, STOP THEM!! :)
It's really annoying to reinvent the wheel that's already been reinvented
many times.
Later,
Gunther
At 01:18 AM 2/14/2002, Rednecktek wrote:
>I've been asked if this script is secure. I believe it is. Can anyone find
>any problems with it?
>
>#!/usr/bin/perl -w -t
>use strict;
>use Apache;
>$ENV{GATEWAY_INTERFACE} =~ /^CGI-Perl/ or die "GATEWAY_INTERFACE not Perl!";
>my $r = Apache->request();
>my %args = $r->args();
>my $path = $r->uri;
>
>############################################################################
>###
>$path =~ s/\/(.*?)$//; # Strip off the scriptname
>my $tmplpath = "template/"; # Setup the template path
>my $cont_ext = ".html"; # Allow only content files with this extension
>my $tmpl_ext = ".tmpl"; # Allow only template files with this extension
>my $template = $tmplpath ."mcti". $tmpl_ext; # Setup the template path
>my $page = $args{page} || "index"; # Are we requesting a page or root?
>my $title = "Microdyne"; # Default Title of not specified in page
>my $debug = 1;
>############################################################################
>###
>my ($content, $pageout, $newtitle, $newtmpl);
>
>($content, $newtitle, $newtmpl) = pullpage( $page . $cont_ext );
>if ($newtitle) {$title = $newtitle;}
>if ($newtmpl) {$template = $tmplpath . $newtmpl . $tmpl_ext;}
>$pageout = readfile( $template );
>$pageout =~ s/%%TITLE%%/$title/g;
>$pageout =~ s/%%CONTENT%%/$content/g;
>
>pageout($pageout);
>
>############################################
># Spit out the content
>############################################
>sub pageout {
> my $pageout = shift;
> $r->content_type('text/html');
> $r->header_out( 'Content-Length', length($pageout) );
> $r->send_http_header();
>
> my $start = 0;
> my $len = 63000;
> while (my $p = substr($pageout, $start, $len)) {
> $start += $len;
> $r->print($p);
> }
> $r->rflush();
>}
>
>############################################
># Open content page, and check for options
># checks for tags in format: %%TAG=VALUE%%
>############################################
>sub pullpage {
> my $file = shift;
> my ($content, $title, $template);
> $content = readfile( $file );
>
> while ($content =~ m/%%(.*?)=(.*?)%%/) {
> my $key = $1;
> my $value = $2;
> SWITCH: for ($key) {
> /TEMPLATE/ && do {
> # Override default template
> logit("Found $key - $value",2);
> $template = $value;
> $content =~ s/%%$key=$value%%//g;
> last SWITCH;
> };
> /TITLE/ && do {
> logit("Found $key - $value",2);
> $title = $value;
> $content =~ s/%%$key=$value%%//g;
> last SWITCH;
> };
> /INCLUDE/ && do {
> #Read in an Included file
> logit("Found $key - $value",2);
> my $repl = readfile( $value );
> $content =~ s/%%$key=$value%%/$repl/g;
> last SWITCH;
> };
> };
> }
> return ($content, $title, $template);
>}
>
>############################################
># Reads a file and returns the content
>############################################
>sub readfile {
> my $file = shift;
> my $rv;
> logit("Opening file $file",2);
> open( FILE, $file ) || return "Could not find file $file";
> my @lines = <FILE>;
> close FILE || return "Could not close filehandle";
> logit("Closed file $file",2);
> for (@lines) {
> $rv .= $_;
> }
> return $rv;
>}
>
>sub logit {
> my $warning = shift;
> my $level = shift || 1;
> my $caller = (caller(1))[3];
> if ($debug >= $level) {
> warn " $caller:\t$warning";
> }
>}
>
>1;
>
>
>
>--
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
__________________________________________________
Gunther Birznieks ([EMAIL PROTECTED])
eXtropia - The Open Web Technology Company
http://www.eXtropia.com/
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
