Re: Security bugs in Excite for Web Servers 1.1

[ap1 () TORCH ROWAN EDU (Andrew Pitman)]

On Tue, 1 Dec 1998, Gurjeet Clair wrote:

> Today I saw <Michael Gerdts> say:
>
> > On November 11 I reported the folloing problmes to ewsbugs () excite com.  I
> > have only recieved an automated reply.

Hmmmmm.....

> sub make_files_readwriteable {
>     local($files) = @_;
>     return 1 if ($ews_port eq 'NT');
>     return system("/bin/chmod a+rw $files"); <---- EVIL!
> }
>
> Ahh, theres the litte culprit right there! The "chmod a+rw $files".  Well
> one fix is to use "chmod 0600 $file" (i think u+rw) OR not use the system call

The problem (I think) is that user data ($files) is allowed to be parsed
by the shell before /bin/chmod touches it.  This is dangerous, since they
can make $files be something like "filename; some command here" or even
"`some command here`".  Under sh or bash, "some command here" _would_ get
run as the user the webserver is running as.....  I could be mistaken,
though, as I haven't looked at the rest of the source.  This kind of thing
would be OK if all non-alphanumeric, non-period, and non-dash characters
were filtered out using tr or some such.

> itself and use the built in perl functions to set permissions.  Of course this
> only creates the permissions as the user that the webserver runs as.

I question why the author didn't just use the Perl builtin function
chmod()....  Or, system with the fields separated by commas:

       system "/bin/chmod", "a+rw", $files;  # This would be OK since it
                                             # doesn't use sh.

At any rate, why was the file being made world writable anyway?

Andrew
--
  "The wonderful thing about standards is that there are so
   many to choose from."
                                        (Andrew S. Tanenbaum)
-------------------------------------------------------------
  Andrew Pitman                           MIS
  Unix System Administrator               Rowan University
-------------------------------------------------------------