Hi,
I've just read your message on [EMAIL PROTECTED]
mailing list archives:
http:[EMAIL PROTECTED]/msg02976.html
I just thought you'd like to know that there's an
extremely serious security problem, anyone can
download every single file from your server! And
that's not all, it's also possible to invoke any shell
command!
I'll explain it:
To download any file, you need to use PATH_INFO (and
remember that any cracker can use any PATH_INFO he
likes, he just needs to manually enter URL in his web
browser) containing something like
"../../../.htpasswd" or "../../../../../../etc/passwd"
(the cracker just has to experiment with number of
preceeding "../" strings) and your script will send
him ANY FILE!
Now with running any shell commands:
It's possible to use such PATH_INFO which after
$file = $ENV{PATH_INFO};
@pathitems = split("/",$file);
shift(@pathitems);
shift(@pathitems);
shift(@pathitems);
$file = join("/",@pathitems);
will give "| rm -rf / " stored in $file variable,
which after the command
open(OUT,"$file");
will start to delete every file in directories your
web server has write access to!
PATH_INFO has to be "a/b/c/| rm -rf / " and you have a
big problem. Any cracker can run ANY COMMAND he likes
on your server. He can read files, remove files, write
to files, alter logs, use your server to spam or
denial of service attacks - ANYTHING!
ALWAYS USE THE TAINT MODE !!!
Use the -T switch:
#!/usr/bin/perl -wT
and untaint the $file variable:
die 'INSECURE $file !!!' if $file =~ /\.\./;
if ($file =~ /^([-\w./]+)$/) { $file = $1 }
else { die 'INSECURE $file !!!' }
and now you can use it.
I'm sorry to say this, but I have fired four
people these year for MUCH less important security
holes.
But your code is like an example from the security
lesson on how NOT to write a CGI code. If I saw a code
like this in one of my servers, I'd make an
investigation, because it looks like a backdoor and
I'm affraid the man who did it could have more serious
concequences than just getting fired, especially if it
turns out that this hole was actually used by someone.
I would not believe that it was a mistake of anyone
who knows anything about the most fundamental rules of
CGI code security, so I would assume that it was a
backdoor and that he wanted to compromise my network.
Good advice: Fix it as soon as possible and never EVER
tell your boss about it. If your boss finds out about
it and he only fires you without further
investigation, than he's plain stupid.
__________________________________________________
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games
http://sports.yahoo.com
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
