Vulnerability Development mailing list archives
Re: Serious Hole in Comment/Discussion CGI Script
From: Joe <joe () blarg net>
Date: Fri, 27 Oct 2000 09:45:01 -0700
On Thu, 26 Oct 2000, Vitaly McLain wrote:
Hi, I am not too good with Perl, but I think I see potential for some exploitation here. You said you were able to open text-files because of... open(FILE, "commentdata/$article.txt"); Does the script parse out any metacharachters from $article? If it does not, then it has major problems. The direct avenue of attack would be to try directory transversal, i.e trying to view a file like ../../../../../etc/passwd. Obviously this won't work, because there will be a .txt appended to passwd, and that is why you should try that "null trick" you mentioned. Append a %00 to the end, which should confuse Perl into only seeing the /etc/passwd part when opening the script (see Phrack #55 for more info.)
Null byte only works if the script decodes the url-encoded characters in the query string, which the script is not doing. Hence, although you can grab any '.txt' file, there's no way to inject control characters or whitespace into the query string, which limits the damage you can do. The open() call can be injected with a pipe ('|') to execute commands, but without whitespace to work with there's not much you can do with it. I think there's a happy accident here - the script-author obviously didn't care enough to decode the query string, thereby -accidentaly- preventing the script from being able to do serious damage. -- Joe Technical Support General Support: support () blarg net Blarg! Online Services, Inc. Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net
Current thread:
- Serious Hole in Comment/Discussion CGI Script Barry Russell (Oct 27)
- Re: Serious Hole in Comment/Discussion CGI Script Vitaly McLain (Oct 27)
- Re: Serious Hole in Comment/Discussion CGI Script Barry Russell (Oct 27)
- Re: Serious Hole in Comment/Discussion CGI Script Joe (Oct 29)
- Re: Serious Hole in Comment/Discussion CGI Script Taneli Huuskonen (Oct 31)
- <Possible follow-ups>
- FW: Serious Hole in Comment/Discussion CGI Script Richard Bartlett (Oct 28)
- Re: FW: Serious Hole in Comment/Discussion CGI Script Bluefish (P.Magnusson) (Oct 29)
- Re: Serious Hole in Comment/Discussion CGI Script Vitaly McLain (Oct 27)