Bugtraq mailing list archives
jj cgi
From: aleph1 () dfw net (Aleph One)
Date: Tue, 24 Dec 1996 20:30:20 -0600
jj.c is a demo cgi program. It passes unfiltered user input to /bin/mail. You know what that means. Use ~ to escape to a shell, etc. The segment of the code looks like: if(allow) { char t[256]; sprintf(t,"/bin/mail %s",JJ_FAX); if(!(order=popen(t,"w"))) print_error("the server was unable to open a pipe to mail"); For allow to be true a password must be supplied. I have seen both "HTTPdrocks" and "SDGROCKS" used as default in the source code. To make matters more interesting it defined the following variable: char w[256]; It then uses getword to fill it with user supplied data: getword(w,cl,'='); Get word is defined as: void getword(char *word, char *line, char stop) { int x = 0,y; for(x=0;((line[x]) && (line[x] != stop));x++) word[x] = line[x]; word[x] = '\0'; if(line[x]) ++x; y=0; while(line[y++] = line[x++]); } As you can see it does no bounds checking. Lucky for them that main calls exit before returning or you would have a nice buffer overflow. This code should be studied as an example of how NOT to write secure programs. Aleph One / aleph1 () dfw net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- jj cgi Aleph One (Dec 24)