Re: PHP script: Penguin Traceroute, Remote Command Execution

[bugtraq () planet nl]

I informed the admin of linux-directory about this months ago, but he doesn't seem to 
care a lot. The nslookup script on his site is also vulnerable to file reading and 
command executing vulnerabilities.
Anyone noticed that the sample traceroute script doesn't work at all?

Niels Teusink

On 21 Mar 2002 at 14:16, paul jenkins wrote:

> /* ------------------------------ *
>  * --------Security Freaks------- *
>  * ----www.securityfreaks.com---- *
>  * ------------------------------ */
>
>
> Info
> ====
> Software: Penguin Traceroute
> Website: http://www.linux-directory.com/scripts/traceroute.shtml
> Versions: 1.0
> Platforms: Linux
> Vulnerability Type: Remote Command Execution
>
>
> Details
> =======
> Penguin Traceroute is a perl script that does traceroute. This is another
> script where the author forgets to parse the input for any ; | characters 
> and anyone user is able to execute anything he wants with the same 
> permitions as apache. Example: "127.0.0.1;cat /www/secure/.htpasswd" 
> and there goes the passwords, or if the user apache has write access 
> "127.0.0.1;echo I iz 1337>index.html".
>
>
> Fix
> ===
> Open up the perl script in your favorite text editor, find a line that has
> "$host = $q->param('host');" Its usually the 13th line down then just add 
> this line "$host =~ s/[;<>\*\|'&\$!?#\(\)\[\]\{\}:'"\\]//g;" under it and 
> that should parse out any unwanted characters.