[24806] in bugtraq
Re: PHP script: Penguin Traceroute, Remote Command Execution
daemon@ATHENA.MIT.EDU (Philip Turner)
Fri Mar 22 20:49:40 2002
From: "Philip Turner" <p.turner@newman.ac.uk>
To: <bugtraq@securityfocus.com>
Date: Fri, 22 Mar 2002 08:52:17 -0000
MIME-Version: 1.0
Reply-To: p.turner@newman.ac.uk
Message-ID: <3C9AF0C1.26104.4E8B5A@localhost>
In-reply-to: <001d01c1d0e2$f9c66680$8f7a6bd5@server1>
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Mail message body
On 21 Mar 2002 at 14:16, paul jenkins wrote:
> /* ------------------------------ *
> * --------Security Freaks------- *
> * ----www.securityfreaks.com---- *
> * ------------------------------ */
>
>
> Info
> ====
> Software: Penguin Traceroute
> Website: http://www.linux-directory.com/scripts/traceroute.shtml
> Versions: 1.0
> Platforms: Linux
> Vulnerability Type: Remote Command Execution
>
>
> Details
> =======
> Penguin Traceroute is a perl script that does traceroute. This is another
> script where the author forgets to parse the input for any ; | characters
> and anyone user is able to execute anything he wants with the same
> permitions as apache. Example: "127.0.0.1;cat /www/secure/.htpasswd"
> and there goes the passwords, or if the user apache has write access
> "127.0.0.1;echo I iz 1337>index.html".
>
>
> Fix
> ===
> Open up the perl script in your favorite text editor, find a line that has
> "$host = $q->param('host');" Its usually the 13th line down then just add
> this line "$host =~ s/[;<>\*\|'&\$!?#\(\)\[\]\{\}:'"\\]//g;" under it and
Shouldn't this be "$host =~ s/[^0-9A-Za-z.-]//g;" on the basis
that accepting known good is safer than rejecting known bad?
> that should parse out any unwanted characters.
>
>
>
>
--
Phil Turner
