[24812] in bugtraq
Re: PHP script: Penguin Traceroute, Remote Command Execution
daemon@ATHENA.MIT.EDU (bugtraq@planet.nl)
Fri Mar 22 21:30:53 2002
From: bugtraq@planet.nl
To: "paul jenkins" <jenkins@securityfreaks.com>
Date: Fri, 22 Mar 2002 23:53:41 +0100
MIME-Version: 1.0
Cc: bugtraq@securityfocus.com
Message-ID: <3C9BC405.4891.18121A@localhost>
In-reply-to: <001d01c1d0e2$f9c66680$8f7a6bd5@server1>
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Content-description: Mail message body
I informed the admin of linux-directory about this months ago, but he doesn't seem to
care a lot. The nslookup script on his site is also vulnerable to file reading and
command executing vulnerabilities.
Anyone noticed that the sample traceroute script doesn't work at all?
Niels Teusink
On 21 Mar 2002 at 14:16, paul jenkins wrote:
> /* ------------------------------ *
> * --------Security Freaks------- *
> * ----www.securityfreaks.com---- *
> * ------------------------------ */
>
>
> Info
> ====
> Software: Penguin Traceroute
> Website: http://www.linux-directory.com/scripts/traceroute.shtml
> Versions: 1.0
> Platforms: Linux
> Vulnerability Type: Remote Command Execution
>
>
> Details
> =======
> Penguin Traceroute is a perl script that does traceroute. This is another
> script where the author forgets to parse the input for any ; | characters
> and anyone user is able to execute anything he wants with the same
> permitions as apache. Example: "127.0.0.1;cat /www/secure/.htpasswd"
> and there goes the passwords, or if the user apache has write access
> "127.0.0.1;echo I iz 1337>index.html".
>
>
> Fix
> ===
> Open up the perl script in your favorite text editor, find a line that has
> "$host = $q->param('host');" Its usually the 13th line down then just add
> this line "$host =~ s/[;<>\*\|'&\$!?#\(\)\[\]\{\}:'"\\]//g;" under it and
> that should parse out any unwanted characters.
>
>
>
>
