Re: Is this secure

[Rednecktek]

+ACI-Gunther Birznieks+ACI- wrote:

+AD4- There are probably multiple issues with this script.  I don't really have
+AD4- the time to do a security audit for you but in a 5 minute glance
+AD4-
+AD4- A) -t is supposed to be -T if you are enabling taint mode

Doh+ACE- Missed that one.

+AD4- B) It appears as if there is very little checking done on the path that is
+AD4- issued. Things like
+AD4-    escaped periods would allow backtracking
+AD4-    possible null byte insertion in the regex would obviate the file
extension
+AD4- C) File open is done without explicitly putting in a +ACIAPAAi- prefix to
indicate
+AD4- read-only access. So if the path starts or ends with +AHw- then an arbitrary
+AD4- command could be executed.

I couldn't introduce errors using the null-byte, but I won't stop testing
just yet. I have no idea to escape a period on the URL. Could someone give
me an example please.

+AD4- Some of these might not work in practice, but I don't see an explicit area
+AD4- of the code which basically prevents these things from occuring, so I can
+AD4- only suspect it is possible with enough diligence.
+AD4-
+AD4- I would suggest that if your site is using mod+AF8-perl, don't use some
+AD4- home-grown template system. There are way too many out there that are
+AD4- reallly well written and well-tested and examined for security. State your
+AD4- requirements and ask the mod-perl list for some advice.

Thanks, but nope, this is a test project.

+AD4- There are really powerful ones like TemplateToolkit, Mason, EmbPerl, but
+AD4- then there are simpler ones also. And the +ACM-1 thing is that if you see
+AD4- someone trying to roll their own template system, STOP THEM+ACEAIQ- :)
+AD4-
+AD4- It's really annoying to reinvent the wheel that's already been reinvented
+AD4- many times.

No offense, but I don't want to +ACI-stand on the shoulders of giants.+ACI- Part of
the reason I'm doing this is to understand the security issues involved,
even in a simple script like this. I know there is always more to learn, now
I know /what/ I need to learn.

cya,
Jon

+AD4- Later,
+AD4-      Gunther
+AD4-
+AD4- At 01:18 AM 2/14/2002, Rednecktek wrote:
+AD4- +AD4-I've been asked if this script is secure. I believe it is. Can anyone
find
+AD4- +AD4-any problems with it?
+AD4- +AD4-
+AD4- +AD4AIwAh-/usr/bin/perl -w -t
+AD4- +AD4-use strict+ADs-
+AD4- +AD4-use Apache+ADs-
+AD4- +AD4AJA-ENV+AHs-GATEWAY+AF8-INTERFACE+AH0- +AD0Afg- /+AF4-CGI-Perl/ or die 
++ACI-GATEWAY+AF8-INTERFACE not
Perl+ACEAIgA7-
+AD4- +AD4-my +ACQ-r +AD0- Apache-+AD4-request()+ADs-
+AD4- +AD4-my +ACU-args +AD0- +ACQ-r-+AD4-args()+ADs-
+AD4- +AD4-my +ACQ-path +AD0- +ACQ-r-+AD4-uri+ADs-
+AD4- +AD4-
+AD4-
+AD4AIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACM-
+ACM-
+AD4- +AD4AIwAjACM-
+AD4- +AD4AJA-path  +AD0Afg- s/+AFw-/(.+ACo-?)+ACQ-//+ADs- +ACM- Strip off the 
+scriptname
+AD4- +AD4-my +ACQ-tmplpath +AD0- +ACI-template/+ACIAOw-  +ACM- Setup the template path
+AD4- +AD4-my +ACQ-cont+AF8-ext +AD0- +ACI-.html+ACIAOw-  +ACM- Allow only content 
+files with this extension
+AD4- +AD4-my +ACQ-tmpl+AF8-ext +AD0- +ACI-.tmpl+ACIAOw-  +ACM- Allow only template 
+files with this extension
+AD4- +AD4-my +ACQ-template +AD0- +ACQ-tmplpath .+ACI-mcti+ACI-. 
++ACQ-tmpl+AF8-ext+ADs- +ACM- Setup the template path
+AD4- +AD4-my +ACQ-page +AD0- +ACQ-args+AHs-page+AH0- +AHwAfA- +ACI-index+ACIAOw- 
++ACM- Are we requesting a page or root?
+AD4- +AD4-my +ACQ-title +AD0- +ACI-Microdyne+ACIAOw-  +ACM- Default Title of not 
+specified in page
+AD4- +AD4-my +ACQ-debug +AD0- 1+ADs-
+AD4-
+AD4AIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACM-
+ACM-
+AD4- +AD4AIwAjACM-
+AD4- +AD4-my (+ACQ-content, +ACQ-pageout, +ACQ-newtitle, +ACQ-newtmpl)+ADs-
+AD4- +AD4-
+AD4- +AD4-(+ACQ-content, +ACQ-newtitle, +ACQ-newtmpl) +AD0- pullpage( +ACQ-page . 
++ACQ-cont+AF8-ext )+ADs-
+AD4- +AD4-if (+ACQ-newtitle) +AHsAJA-title +AD0- +ACQ-newtitle+ADsAfQ-
+AD4- +AD4-if (+ACQ-newtmpl) +AHsAJA-template +AD0- +ACQ-tmplpath . +ACQ-newtmpl . 
++ACQ-tmpl+AF8-ext+ADsAfQ-
+AD4- +AD4AJA-pageout +AD0- readfile( +ACQ-template )+ADs-
+AD4- +AD4AJA-pageout +AD0Afg- s/+ACUAJQ-TITLE+ACUAJQ-/+ACQ-title/g+ADs-
+AD4- +AD4AJA-pageout +AD0Afg- s/+ACUAJQ-CONTENT+ACUAJQ-/+ACQ-content/g+ADs-
+AD4- +AD4-
+AD4- +AD4-pageout(+ACQ-pageout)+ADs-
+AD4- +AD4-
+AD4- 
++AD4AIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAj-
+AD4- +AD4AIw- Spit out the content
+AD4- 
++AD4AIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAj-
+AD4- +AD4-sub pageout +AHs-
+AD4- +AD4-     my +ACQ-pageout +AD0- shift+ADs-
+AD4- +AD4-     +ACQ-r-+AD4-content+AF8-type('text/html')+ADs-
+AD4- +AD4-     +ACQ-r-+AD4-header+AF8-out( 'Content-Length', length(+ACQ-pageout) 
+)+ADs-
+AD4- +AD4-     +ACQ-r-+AD4-send+AF8-http+AF8-header()+ADs-
+AD4- +AD4-
+AD4- +AD4-     my +ACQ-start +AD0- 0+ADs-
+AD4- +AD4-     my +ACQ-len +AD0- 63000+ADs-
+AD4- +AD4-     while (my +ACQ-p +AD0- substr(+ACQ-pageout, +ACQ-start, +ACQ-len)) 
++AHs-
+AD4- +AD4-  +ACQ-start +AD0- +ACQ-len+ADs-
+AD4- +AD4-  +ACQ-r-+AD4-print(+ACQ-p)+ADs-
+AD4- +AD4-     +AH0-
+AD4- +AD4-     +ACQ-r-+AD4-rflush()+ADs-
+AD4- +AD4AfQ-
+AD4- +AD4-
+AD4- 
++AD4AIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAj-
+AD4- +AD4AIw- Open content page, and check for options
+AD4- +AD4AIw- checks for tags in format: +ACUAJQ-TAG+AD0-VALUE+ACUAJQ-
+AD4- 
++AD4AIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAj-
+AD4- +AD4-sub pullpage +AHs-
+AD4- +AD4-     my +ACQ-file +AD0- shift+ADs-
+AD4- +AD4-     my (+ACQ-content, +ACQ-title, +ACQ-template)+ADs-
+AD4- +AD4-     +ACQ-content +AD0- readfile( +ACQ-file )+ADs-
+AD4- +AD4-
+AD4- +AD4-     while (+ACQ-content +AD0Afg- 
+m/+ACUAJQ-(.+ACo-?)+AD0-(.+ACo-?)+ACUAJQ-/) +AHs-
+AD4- +AD4-  my +ACQ-key +AD0- +ACQ-1+ADs-
+AD4- +AD4-  my +ACQ-value +AD0- +ACQ-2+ADs-
+AD4- +AD4-  SWITCH: for (+ACQ-key) +AHs-
+AD4- +AD4-      /TEMPLATE/ +ACYAJg- do +AHs-
+AD4- +AD4-   +ACM- Override default template
+AD4- +AD4-   logit(+ACI-Found +ACQ-key - +ACQ-value+ACI-,2)+ADs-
+AD4- +AD4-   +ACQ-template +AD0- +ACQ-value+ADs-
+AD4- +AD4-   +ACQ-content +AD0Afg- s/+ACUAJQAk-key+AD0AJA-value+ACUAJQ-//g+ADs-
+AD4- +AD4-   last SWITCH+ADs-
+AD4- +AD4-      +AH0AOw-
+AD4- +AD4-      /TITLE/ +ACYAJg- do +AHs-
+AD4- +AD4-   logit(+ACI-Found +ACQ-key - +ACQ-value+ACI-,2)+ADs-
+AD4- +AD4-   +ACQ-title +AD0- +ACQ-value+ADs-
+AD4- +AD4-   +ACQ-content +AD0Afg- s/+ACUAJQAk-key+AD0AJA-value+ACUAJQ-//g+ADs-
+AD4- +AD4-   last SWITCH+ADs-
+AD4- +AD4-      +AH0AOw-
+AD4- +AD4-      /INCLUDE/ +ACYAJg- do +AHs-
+AD4- +AD4-   +ACM-Read in an Included file
+AD4- +AD4-   logit(+ACI-Found +ACQ-key - +ACQ-value+ACI-,2)+ADs-
+AD4- +AD4-   my +ACQ-repl +AD0- readfile( +ACQ-value )+ADs-
+AD4- +AD4-   +ACQ-content +AD0Afg- 
+s/+ACUAJQAk-key+AD0AJA-value+ACUAJQ-/+ACQ-repl/g+ADs-
+AD4- +AD4-   last SWITCH+ADs-
+AD4- +AD4-      +AH0AOw-
+AD4- +AD4-  +AH0AOw-
+AD4- +AD4-     +AH0-
+AD4- +AD4-     return (+ACQ-content, +ACQ-title, +ACQ-template)+ADs-
+AD4- +AD4AfQ-
+AD4- +AD4-
+AD4- 
++AD4AIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAj-
+AD4- +AD4AIw- Reads a file and returns the content
+AD4- 
++AD4AIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAjACMAIwAj-
+AD4- +AD4-sub readfile +AHs-
+AD4- +AD4-     my +ACQ-file +AD0- shift+ADs-
+AD4- +AD4-     my +ACQ-rv+ADs-
+AD4- +AD4-     logit(+ACI-Opening file +ACQ-file+ACI-,2)+ADs-
+AD4- +AD4-     open( FILE, +ACQ-file ) +AHwAfA- return +ACI-Could not find file 
++ACQ-file+ACIAOw-
+AD4- +AD4-     my +AEA-lines +AD0- +ADw-FILE+AD4AOw-
+AD4- +AD4-     close FILE +AHwAfA- return +ACI-Could not close filehandle+ACIAOw-
+AD4- +AD4-     logit(+ACI-Closed file +ACQ-file+ACI-,2)+ADs-
+AD4- +AD4-     for (+AEA-lines) +AHs-
+AD4- +AD4-  +ACQ-rv .+AD0- +ACQAXwA7-
+AD4- +AD4-     +AH0-
+AD4- +AD4-     return +ACQ-rv+ADs-
+AD4- +AD4AfQ-
+AD4- +AD4-
+AD4- +AD4-sub logit +AHs-
+AD4- +AD4-     my +ACQ-warning +AD0- shift+ADs-
+AD4- +AD4-     my +ACQ-level +AD0- shift +AHwAfA- 1+ADs-
+AD4- +AD4-     my +ACQ-caller +AD0- (caller(1))+AFs-3+AF0AOw-
+AD4- +AD4-     if (+ACQ-debug +AD4APQ- +ACQ-level) +AHs-
+AD4- +AD4-  warn +ACI-    +ACQ-caller:+AFw-t+ACQ-warning+ACIAOw-
+AD4- +AD4-     +AH0-
+AD4- +AD4AfQ-
+AD4- +AD4-
+AD4- +AD4-1+ADs-
+AD4- +AD4-
+AD4- +AD4-
+AD4- +AD4-
+AD4- +AD4---
+AD4- +AD4-To unsubscribe, e-mail: beginners-cgi-unsubscribe+AEA-perl.org
+AD4- +AD4-For additional commands, e-mail: beginners-cgi-help+AEA-perl.org
+AD4-
+AD4- 
++AF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXwBfAF8AXw-
+AD4- Gunther Birznieks (gunther.birznieks+AEA-eXtropia.com)
+AD4- eXtropia - The Open Web Technology Company
+AD4- http://www.eXtropia.com/
+AD4-


-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]