lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: gobus at hmj.com (gobus@....com)
Subject: TINYURL - A powerful tool just got more powerful

Overview:
---------
After sending huge urls to friends on one to many occasions (at least they
*tell* me they are my friends), they finally got together and convinced me
to use Tinyurl. While it seemed at first glance to be a powerful tool, and
a great free service, something struck me odd about it. The potential for
abuse here was just too great to go unchecked. After deep, introspective 
thought, I have decided that I firmly believe, "Tinyurl is the Devil".

Problem:
--------
Great service, but if you were coding it, would you really allow unlimited, 
free-form urls? I suggest you pray on it. I have, and I wouldn't. Friends,
input validation is not to be feared. Come to the Light.

Fix:
----
What did I not make clear above? Anyways, you aren't really even reading 
this anymore, are you? You already snuck a peek and saw that there is PoC 
code below. You really don't care about me or my advisory, do you? *sob*

:D

<-------------- begin crufty PoC code -------------->

#!/usr/bin/perl
#
# (c) 2004 all rights reserved by :D
# 
# God bless and keep you from Tinyurl
#
# Props to AG, JW, IG, RH, BH & EU
#
use strict;
use LWP::UserAgent;
use HTTP::Response;
use HTTP::Request::Common;
use MIME::Base64;

# path to curl binary
sub CURL {'/usr/bin/curl '}

# dispatch commands
($ARGV[0] eq 'get')&&($#ARGV==2)&&get($ARGV[1],$ARGV[2]);
($ARGV[0] eq 'put')&&($#ARGV==1)&&put($ARGV[1]);	

# usage
print<<EOF;
Usage $0: [get|put] filename [url]
Use tinyurl.com as a filesystem.
Example: $0 put foo.tgz
         $0 get foo.tgz 2ghmz

  put		Create a new file on tinyurlfs
  get		Retrieve a file from tinyurlfs

EOF

# retrieve a file
sub get {
	my $filename = shift;
	my $url = shift;
	print "\n---> GET [".$filename."] URL [".$url."]\n";
	my $base64 = _get_tinyurl($url);
	open(FILE, '>', $filename);
	binmode FILE;
	print FILE decode_base64($base64);
	close FILE;
	exit();
}

# upload a file
sub put {
	my $filename = shift;
	print "\n---> PUT [$filename]\n";
	my $url = _put_tinyurl($filename);
	print "---> URL [".$url."]\n";
	exit();
}

sub _get_tinyurl {
	my $url = shift;
	# nasty, nasty, nasty HACK, but LWP wasn't playing nice here
	open (RESPONSE, CURL.'http://unicyclist.com/tinyurl/redirect.php?num='.$url.' |');
	my @out = <RESPONSE>;
 	chomp @out;
	my $joined = join('',@out);
	$joined =~ s/Location: http:\/\///;
	return $joined;
}

sub _put_tinyurl {
	my $filename = shift;
	my $ua = LWP::UserAgent->new();
	my $raw;
	open(FILE,$filename);
	binmode(FILE);
	while(<FILE>) {
		$raw.=$_;
	}
	my $base64 = encode_base64($raw);
	my $re = '<blockquote>(http://tinyurl\.com/.*?)</blockquote>';
	my $response = $ua->request( POST 'http://tinyurl.com/create.php',[ url => $base64 ] );
	if ($response->is_success and $response->content =~ /$re/) {
		my $url = $1;
		$url =~ s/http:\/\/tinyurl.com\///g;
		return $url
	}
	die("unable to upload ".$filename);
}

<-------------- end crufty PoC code -------------->

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ