Food for thought indeed! Fortunately the number of options the user has
is small and so I can write my script like so;
system "Myscript option1" if ("$Form_input" eq "Nice_things1");
system "Myscript option2" if ("$Form_input" eq "Nice_things2");
etc ...
Also this form is being used more as a "make my life easier and stop me
having to type lots of silly long things into the command line" for
internal use only, as opposed to a real WWW application. Plus, the
server is running as "somebody", as opposed to Root ..., so it has the
same permissions as the user which means that if the user did decide to
try and use my form for evil, then they shouldn't be able to do anything
more evil than if they simply sat at their machine and typed;
% GRrrrrrr evilnesss
thanks for all the advice,
Alex.
drieux wrote:
> On Sunday, April 21, 2002, at 11:58 , Rafael Cotta wrote:
>
> > Maybe because of my bad English
>
> most likely my 'american'.....
>
> > and lack of knowledge on Linux I couldn't
> > understand what you mean.
>
> I will try again.
>
> > Tell me: is it a security issue or not?
>
> It is a Reasonable Security Issue - it depends upon how the
> webServer is set up and the rest. IF it is running as Root,
> vice as 'nobody' or 'www' - then the malicious commands could
> actually remove everything....
>
> I would write my CGI as IF any input coming in was going
> to be used as an attack. Your Original Idea is one of
> several ways to do the pipeline construction.....
>
> so folks should check for at least "|" and ";" as a part of
> the 'returned information' from their cgi forms if they are
> planning to "pass them to a shell command" with
>
> exec or system or the ` `
>
> since if the shell gets
>
> ourCode whatShouldBeParameters <the attack stuff>
>
> and that could be
>
> | cmd
>
> ; cmd
>
> since anything that you can 'chain' on the command line
> can also be chained as the 'end stuff' on a shell invocation.
>
> a simpler example
>
> [jeeves:~] drieux% date -u ; echo "hello" | wc
> Sun Apr 21 21:58:34 PDT 2002
> 1 1 6
> [jeeves:~] drieux%
>
> the ';' seperates the 'date' command from the 'pipeline'
> 'echo "hello" | wc' - so the shell executes the first command
> and then the second command.
>
> in the basic idea that alex was putting forward was that
> 'well all I would be doing was passing the "arguments" to
> the command' - in this case he would have 'assumed' that it
> would all be read by 'date' and 'date -u' returns the time
> in GMT time.....
>
> it is the stuff after the ";" where one could Hide the attack.
>
> I to keep consistent with your '|' idea had done some more
> fancy stuff....
>
> So there are 'pipelinging' of commands that can cause problems
> and the cgi writer must check that the incoming parameters
> makes sense - OR they should avoid forking shell commands.
>
> ciao
> drieux
>
> ---
>
> --
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
