Bugtraq mailing list archives
Re: Jason Maloney's CGI Guestbook Remote Command Execution Vulnerability.
From: Nick Cleaton <nick () cleaton net>
Date: Wed, 3 Dec 2003 14:41:18 +0000
On Mon, Dec 01, 2003 at 06:26:32PM +0000, Shaun Colley wrote: [SNIP]
Here is the error-prone code: ###################### CUT HERE ###################### ############################################################ #Don't touch, these are necessary to run the script! $mailprog = '/usr/lib/sendmail'; $entry = 1; $allow = 1; $date_command = "/usr/bin/date"; ############################################################ $date = `$date_command +"%B %d, %Y"`; chop($date); read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'}); @pairs = split(/&/, $buffer); foreach $pair (@pairs) { ($name, $value) = split(/=/, $pair); $value =~ tr/+/ /; $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; $value =~ s/<!--(.|\n)*-->//g; if ($allow != 1) { $value =~ s/<([^>]|\n)*>//g; } $FORM{$name} = $value; } ###################### CUT HERE ###################### The above code trustingly reads in data from the user's HTTP POST request (their submission of a guestbook post), assigning all values to variables specified in the POST request. Due to bad user input checking, the user could easily change the value of a variable holding the path of a program to be opened as a pipe, such as $mailprog. $mailprog holds the path of the sendmail application, and could be changed to an arbitrary program depending upon the attacker's desire.
No, the user could easily change $FORM{'mailprog'}, but there's nothing in the code above that could change $mailprog itself. This is a false alarm. -- Nick Cleaton nick () cleaton net
Current thread:
- Jason Maloney's CGI Guestbook Remote Command Execution Vulnerability. Shaun Colley (Dec 01)
- Re: Jason Maloney's CGI Guestbook Remote Command Execution Vulnerability. Nick Cleaton (Dec 03)