Bugtraq mailing list archives
Re: PHP script: Penguin Traceroute, Remote Command Execution
From: "Philip Turner" <p.turner () newman ac uk>
Date: Fri, 22 Mar 2002 08:52:17 -0000
On 21 Mar 2002 at 14:16, paul jenkins wrote:
/* ------------------------------ * * --------Security Freaks------- * * ----www.securityfreaks.com---- * * ------------------------------ */ Info ==== Software: Penguin Traceroute Website: http://www.linux-directory.com/scripts/traceroute.shtml Versions: 1.0 Platforms: Linux Vulnerability Type: Remote Command Execution Details ======= Penguin Traceroute is a perl script that does traceroute. This is another script where the author forgets to parse the input for any ; | characters and anyone user is able to execute anything he wants with the same permitions as apache. Example: "127.0.0.1;cat /www/secure/.htpasswd" and there goes the passwords, or if the user apache has write access "127.0.0.1;echo I iz 1337>index.html". Fix === Open up the perl script in your favorite text editor, find a line that has "$host = $q->param('host');" Its usually the 13th line down then just add this line "$host =~ s/[;<>\*\|'&\$!?#\(\)\[\]\{\}:'"\\]//g;" under it and
Shouldn't this be "$host =~ s/[^0-9A-Za-z.-]//g;" on the basis that accepting known good is safer than rejecting known bad?
that should parse out any unwanted characters.
-- Phil Turner
Current thread:
- PHP script: Penguin Traceroute, Remote Command Execution paul jenkins (Mar 21)
- Re: PHP script: Penguin Traceroute, Remote Command Execution Philip Turner (Mar 22)
- Re: PHP script: Penguin Traceroute, Remote Command Execution bugtraq (Mar 22)