lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20031203144118.GJ46019@lt1.cleaton.net>
Date: Wed, 3 Dec 2003 14:41:18 +0000
From: Nick Cleaton <nick@...aton.net>
To: Shaun Colley <shaunige@...oo.co.uk>
Cc: bugtraq@...urityfocus.com
Subject: Re: Jason Maloney's CGI Guestbook Remote Command Execution Vulnerability.


On Mon, Dec 01, 2003 at 06:26:32PM +0000, Shaun Colley wrote:

[SNIP] 

> Here is the error-prone code:
> 
> 
> ###################### CUT HERE ######################
> 
> ############################################################
> #Don't touch, these are necessary to run the script!
> $mailprog = '/usr/lib/sendmail';
> $entry = 1;
> $allow = 1;
> $date_command = "/usr/bin/date";
> ############################################################
> $date = `$date_command +"%B %d, %Y"`; chop($date);
> 
> read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
> @pairs = split(/&/, $buffer);
> foreach $pair (@pairs) {
>    ($name, $value) = split(/=/, $pair);
>    $value =~ tr/+/ /;
>    $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
> hex($1))/eg;
>    $value =~ s/<!--(.|\n)*-->//g;
> 
>    if ($allow != 1) {
>       $value =~ s/<([^>]|\n)*>//g;
>    }
> 
>    $FORM{$name} = $value;
> }
> ###################### CUT HERE ######################
> 
> The above code trustingly reads in data from the
> user's HTTP POST request (their submission of a
> guestbook post), assigning all values to variables
> specified in the POST request.  Due to bad user input
> checking, the user could easily change the value of a
> variable holding the path of a program to be opened as
> a pipe, such as $mailprog.  $mailprog holds the path
> of the sendmail application, and could be changed to
> an arbitrary program depending upon the attacker's
> desire.

No, the user could easily change $FORM{'mailprog'}, but there's
nothing in the code above that could change $mailprog itself.

This is a false alarm.

--
Nick Cleaton
nick@...aton.net

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ