Bugtraq mailing list archives
Re: PHP script: Penguin Traceroute, Remote Command Execution
From: bugtraq () planet nl
Date: Fri, 22 Mar 2002 23:53:41 +0100
I informed the admin of linux-directory about this months ago, but he doesn't seem to care a lot. The nslookup script on his site is also vulnerable to file reading and command executing vulnerabilities. Anyone noticed that the sample traceroute script doesn't work at all? Niels Teusink On 21 Mar 2002 at 14:16, paul jenkins wrote:
/* ------------------------------ * * --------Security Freaks------- * * ----www.securityfreaks.com---- * * ------------------------------ */ Info ==== Software: Penguin Traceroute Website: http://www.linux-directory.com/scripts/traceroute.shtml Versions: 1.0 Platforms: Linux Vulnerability Type: Remote Command Execution Details ======= Penguin Traceroute is a perl script that does traceroute. This is another script where the author forgets to parse the input for any ; | characters and anyone user is able to execute anything he wants with the same permitions as apache. Example: "127.0.0.1;cat /www/secure/.htpasswd" and there goes the passwords, or if the user apache has write access "127.0.0.1;echo I iz 1337>index.html". Fix === Open up the perl script in your favorite text editor, find a line that has "$host = $q->param('host');" Its usually the 13th line down then just add this line "$host =~ s/[;<>\*\|'&\$!?#\(\)\[\]\{\}:'"\\]//g;" under it and that should parse out any unwanted characters.
Current thread:
- PHP script: Penguin Traceroute, Remote Command Execution paul jenkins (Mar 21)
- Re: PHP script: Penguin Traceroute, Remote Command Execution Philip Turner (Mar 22)
- Re: PHP script: Penguin Traceroute, Remote Command Execution bugtraq (Mar 22)