[25907] in bugtraq
DPGS allows any file to be overwritten
daemon@ATHENA.MIT.EDU (b0iler)
Fri Jun 21 17:27:13 2002
Date: Fri, 21 Jun 2002 22:59:35 -0700
Message-Id: <200206212259.AA34078842@eyeonsecurity.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
From: "b0iler " <b0iler@eyeonsecurity.net>
Reply-To: <b0iler@eyeonsecurity.net>
To: <bugtraq@securityfocus.com>
Cc: <ilia@lobsanov.com>
Taken from the scripts website:
"WARNING: DPGS is no longer maintained and is thus discontinued. If you would like to take over its development, email me. - July 30, 2000"
This is the reasoning to why I did not contact the author prior to this email.
This is an example of how bad input filtering and open() based on user input make a nasty combo.
the script is Duma Photo Gallery System and in update.dpgs lies the problem open():
open(DATABASE, ">$path_to_members/$FORM{'id'}/data.txt")
|| &error("Couldn't write $path_to_members/$FORM{'id'}/data.txt");
while ( ($form_key, $form_value) = each(%FORM) ) {
print DATABASE "$form_key$delimiter$form_value\n" unless
( $form_value eq '' || $form_key eq "id" || $form_key =~ "password" );
}
close(DATABASE);
this will open the database of this user and then try to add data to the database. Now
here is what %FORM is filtered by in DPGS.pll:
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$value =~ s/<([^>]|\n)*>//g;
$value =~ s/<!--(.|\n)*-->//g; #removes any server side includes
$value =~ s/^\s+//; #remove any leading spaces
$value =~ s/\s+$//; #remove any trailing spaces
$value =~ s/$delimiter//g; #remove delimiters if any.
$value =~ s/\"/\"\;/g; #replace quotes with "
$value =~ s/\r\n/<BR>/g; #replace new line characters with <BR>
$FORM{$name} = $value;
}
none of these stop directory transversal or the null byte. So if we sign up with an id of ../../etc/passwd\0 then the /etc/passwd file will be the one opened for writting. We can write to any file this way, even overwritting other user's data.txt files or
the admin data file '../admin'.
No fix is on hand, but feel free to come up with your own. Filter for null bytes and reverse directory
transversal.
b0iler - http://b0iler.eyeonsecurity.net
make sure to check out http://b0iler.eyeonsecurity.net/tutorials/hackingcgi.htm for a great paper on perl cgi security and exploitation. Many new methods of exploiting common perl cgi code. Including the s/<!--(.|\n)*-->//g; "filter" which is used in this script and thousands of others.
