Re: Serverside script injection?

[Peter Conrad <conrad () tivano de>]

Hi,

On Fri, Jan 10, 2003 at 09:05:31AM -0000, joh ket wrote:
> I have a question regarding serverside script injection. Does it exist - 
> is it possible?

Depending on how you'd define "serverside script injection" the answer
would usually be "yes". :-)

> In the past there were some vulnerabilities in serverside scripts. It was 
> possible to execute OS-commands through URL/userinput manipulation, 
> I assume this happened mostly with CGI and perl scripts. Was this just 
> based on the way the variables (userinput) was used in OS commands, 
> and if the 'user data' was able to break out the intended command?

That was (is?) a quite common problem, but probably not the only one.

> I think it depends on the applicationserver software if 'serverside script 
> injection' is possible or not (assuming the programmer/coder does not want 
> any security).

No! The programmer of a web application *must* be aware of the security
implications of his programs. Otherwise I think it is possible in *any*
application server (that allows turing-complete programming) to write a
program that can be exploited. It is true that some application servers
make this easier than others.

> Is it (theoretically) possible on ASP servers to inject 'malicious' code 
> into the webpage, so that it is processed on the serverside?
> Is it possible on PHP or Coldfusion?

I remember a posting (probably on bugtraq) a couple of days ago, where
some user data was being written to a file, and the username was used as
the filename. So if your username was "someone.php" and you requested that
file via HTTP the server would parse it as a PHP page - executing any
commands you had embedded in your "user data". That kind of thing would
work on an ASP or JSP server as well.

Bye,
        Peter
-- 
Peter Conrad                        Tel: +49 6102 / 80 99 072
[ t]ivano Software GmbH             Fax: +49 6102 / 80 99 071
Bahnhofstr. 18
63263 Neu-Isenburg

Germany