Erotomek, As you've changed the subject line, and have not included the original message, could you please explain whose post this is regarding. Quite a lot of code is sent to this mailing list!
Thanks, Carl p.s. Please don't cc me, I'm on the list. ---------- >From: erotomek <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Very serious security hole in your script >Date: Tue, Feb 26, 2002, 5:11 am > > Hi, > > I've just read your message on [EMAIL PROTECTED] > mailing list archives: > http:[EMAIL PROTECTED]/msg02976.html > > I just thought you'd like to know that there's an > extremely serious security problem, anyone can > download every single file from your server! And > that's not all, it's also possible to invoke any shell > command! > > I'll explain it: > > To download any file, you need to use PATH_INFO (and > remember that any cracker can use any PATH_INFO he > likes, he just needs to manually enter URL in his web > browser) containing something like > "../../../.htpasswd" or "../../../../../../etc/passwd" > (the cracker just has to experiment with number of > preceeding "../" strings) and your script will send > him ANY FILE! > > Now with running any shell commands: > > It's possible to use such PATH_INFO which after > > $file = $ENV{PATH_INFO}; > @pathitems = split("/",$file); > shift(@pathitems); > shift(@pathitems); > shift(@pathitems); > $file = join("/",@pathitems); > > will give "| rm -rf / " stored in $file variable, > which after the command > > open(OUT,"$file"); > > will start to delete every file in directories your > web server has write access to! > > PATH_INFO has to be "a/b/c/| rm -rf / " and you have a > big problem. Any cracker can run ANY COMMAND he likes > on your server. He can read files, remove files, write > to files, alter logs, use your server to spam or > denial of service attacks - ANYTHING! > > ALWAYS USE THE TAINT MODE !!! > > Use the -T switch: > > #!/usr/bin/perl -wT > > and untaint the $file variable: > > die 'INSECURE $file !!!' if $file =~ /\.\./; > if ($file =~ /^([-\w./]+)$/) { $file = $1 } > else { die 'INSECURE $file !!!' } > > and now you can use it. > > I'm sorry to say this, but I have fired four > people these year for MUCH less important security > holes. > > But your code is like an example from the security > lesson on how NOT to write a CGI code. If I saw a code > like this in one of my servers, I'd make an > investigation, because it looks like a backdoor and > I'm affraid the man who did it could have more serious > concequences than just getting fired, especially if it > turns out that this hole was actually used by someone. > I would not believe that it was a mistake of anyone > who knows anything about the most fundamental rules of > CGI code security, so I would assume that it was a > backdoor and that he wanted to compromise my network. > > Good advice: Fix it as soon as possible and never EVER > tell your boss about it. If your boss finds out about > it and he only fires you without further > investigation, than he's plain stupid. > > > __________________________________________________ > Do You Yahoo!? > Yahoo! Sports - Coverage of the 2002 Olympic Games > http://sports.yahoo.com > > -- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
