| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200405071137.i47Bbee19256@netsys.com>
From: gobus at hmj.com (gobus@....com)
Subject: TINYURL - A powerful tool just got more powerful
Overview:
---------
After sending huge urls to friends on one to many occasions (at least they
*tell* me they are my friends), they finally got together and convinced me
to use Tinyurl. While it seemed at first glance to be a powerful tool, and
a great free service, something struck me odd about it. The potential for
abuse here was just too great to go unchecked. After deep, introspective
thought, I have decided that I firmly believe, "Tinyurl is the Devil".
Problem:
--------
Great service, but if you were coding it, would you really allow unlimited,
free-form urls? I suggest you pray on it. I have, and I wouldn't. Friends,
input validation is not to be feared. Come to the Light.
Fix:
----
What did I not make clear above? Anyways, you aren't really even reading
this anymore, are you? You already snuck a peek and saw that there is PoC
code below. You really don't care about me or my advisory, do you? *sob*
:D
<-------------- begin crufty PoC code -------------->
#!/usr/bin/perl
#
# (c) 2004 all rights reserved by :D
#
# God bless and keep you from Tinyurl
#
# Props to AG, JW, IG, RH, BH & EU
#
use strict;
use LWP::UserAgent;
use HTTP::Response;
use HTTP::Request::Common;
use MIME::Base64;
# path to curl binary
sub CURL {'/usr/bin/curl '}
# dispatch commands
($ARGV[0] eq 'get')&&($#ARGV==2)&&get($ARGV[1],$ARGV[2]);
($ARGV[0] eq 'put')&&($#ARGV==1)&&put($ARGV[1]);
# usage
print<<EOF;
Usage $0: [get|put] filename [url]
Use tinyurl.com as a filesystem.
Example: $0 put foo.tgz
$0 get foo.tgz 2ghmz
put Create a new file on tinyurlfs
get Retrieve a file from tinyurlfs
EOF
# retrieve a file
sub get {
my $filename = shift;
my $url = shift;
print "\n---> GET [".$filename."] URL [".$url."]\n";
my $base64 = _get_tinyurl($url);
open(FILE, '>', $filename);
binmode FILE;
print FILE decode_base64($base64);
close FILE;
exit();
}
# upload a file
sub put {
my $filename = shift;
print "\n---> PUT [$filename]\n";
my $url = _put_tinyurl($filename);
print "---> URL [".$url."]\n";
exit();
}
sub _get_tinyurl {
my $url = shift;
# nasty, nasty, nasty HACK, but LWP wasn't playing nice here
open (RESPONSE, CURL.'http://unicyclist.com/tinyurl/redirect.php?num='.$url.' |');
my @out = <RESPONSE>;
chomp @out;
my $joined = join('',@out);
$joined =~ s/Location: http:\/\///;
return $joined;
}
sub _put_tinyurl {
my $filename = shift;
my $ua = LWP::UserAgent->new();
my $raw;
open(FILE,$filename);
binmode(FILE);
while(<FILE>) {
$raw.=$_;
}
my $base64 = encode_base64($raw);
my $re = '<blockquote>(http://tinyurl\.com/.*?)</blockquote>';
my $response = $ua->request( POST 'http://tinyurl.com/create.php',[ url => $base64 ] );
if ($response->is_success and $response->content =~ /$re/) {
my $url = $1;
$url =~ s/http:\/\/tinyurl.com\///g;
return $url
}
die("unable to upload ".$filename);
}
<-------------- end crufty PoC code -------------->
Powered by blists - more mailing lists