Bugtraq mailing list archives
Re: Security bugs in Excite for Web Servers 1.1
From: ap1 () TORCH ROWAN EDU (Andrew Pitman)
Date: Tue, 1 Dec 1998 17:57:47 -0500
On Tue, 1 Dec 1998, Gurjeet Clair wrote:
Today I saw <Michael Gerdts> say:On November 11 I reported the folloing problmes to ewsbugs () excite com. I have only recieved an automated reply.
Hmmmmm.....
sub make_files_readwriteable { local($files) = @_; return 1 if ($ews_port eq 'NT'); return system("/bin/chmod a+rw $files"); <---- EVIL! } Ahh, theres the litte culprit right there! The "chmod a+rw $files". Well one fix is to use "chmod 0600 $file" (i think u+rw) OR not use the system call
The problem (I think) is that user data ($files) is allowed to be parsed by the shell before /bin/chmod touches it. This is dangerous, since they can make $files be something like "filename; some command here" or even "`some command here`". Under sh or bash, "some command here" _would_ get run as the user the webserver is running as..... I could be mistaken, though, as I haven't looked at the rest of the source. This kind of thing would be OK if all non-alphanumeric, non-period, and non-dash characters were filtered out using tr or some such.
itself and use the built in perl functions to set permissions. Of course this only creates the permissions as the user that the webserver runs as.
I question why the author didn't just use the Perl builtin function chmod().... Or, system with the fields separated by commas: system "/bin/chmod", "a+rw", $files; # This would be OK since it # doesn't use sh. At any rate, why was the file being made world writable anyway? Andrew -- "The wonderful thing about standards is that there are so many to choose from." (Andrew S. Tanenbaum) ------------------------------------------------------------- Andrew Pitman MIS Unix System Administrator Rowan University -------------------------------------------------------------
Current thread:
- Re: Security bugs in Excite for Web Servers 1.1 Gurjeet Clair (Dec 01)
- Re: Security bugs in Excite for Web Servers 1.1 Andrew Pitman (Dec 01)
- Remote Tools w/Exceed v.6.0.1.0 fer 95 Sparks, Michael ME (Dec 02)