On Sunday, April 21, 2002, at 11:58 , Rafael Cotta wrote:
> Maybe because of my bad English
most likely my 'american'.....
> and lack of knowledge on Linux I couldn't
> understand what you mean.
I will try again.
> Tell me: is it a security issue or not?
It is a Reasonable Security Issue - it depends upon how the
webServer is set up and the rest. IF it is running as Root,
vice as 'nobody' or 'www' - then the malicious commands could
actually remove everything....
I would write my CGI as IF any input coming in was going
to be used as an attack. Your Original Idea is one of
several ways to do the pipeline construction.....
so folks should check for at least "|" and ";" as a part of
the 'returned information' from their cgi forms if they are
planning to "pass them to a shell command" with
exec or system or the ` `
since if the shell gets
ourCode whatShouldBeParameters <the attack stuff>
and that could be
| cmd
; cmd
since anything that you can 'chain' on the command line
can also be chained as the 'end stuff' on a shell invocation.
a simpler example
[jeeves:~] drieux% date -u ; echo "hello" | wc
Sun Apr 21 21:58:34 PDT 2002
1 1 6
[jeeves:~] drieux%
the ';' seperates the 'date' command from the 'pipeline'
'echo "hello" | wc' - so the shell executes the first command
and then the second command.
in the basic idea that alex was putting forward was that
'well all I would be doing was passing the "arguments" to
the command' - in this case he would have 'assumed' that it
would all be read by 'date' and 'date -u' returns the time
in GMT time.....
it is the stuff after the ";" where one could Hide the attack.
I to keep consistent with your '|' idea had done some more
fancy stuff....
So there are 'pipelinging' of commands that can cause problems
and the cgi writer must check that the incoming parameters
makes sense - OR they should avoid forking shell commands.
ciao
drieux
---
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
