[3863] in bugtraq
jj cgi
daemon@ATHENA.MIT.EDU (Aleph One)
Tue Dec 24 22:05:06 1996
Date: Tue, 24 Dec 1996 20:30:20 -0600
Reply-To: Aleph One <aleph1@dfw.net>
From: Aleph One <aleph1@dfw.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
jj.c is a demo cgi program. It passes unfiltered user input to
/bin/mail. You know what that means. Use ~ to escape to a shell, etc.
The segment of the code looks like:
if(allow) {
char t[256];
sprintf(t,"/bin/mail %s",JJ_FAX);
if(!(order=popen(t,"w")))
print_error("the server was unable to open a pipe to mail");
For allow to be true a password must be supplied. I have seen both
"HTTPdrocks" and "SDGROCKS" used as default in the source code. To make
matters more interesting it defined the following variable:
char w[256];
It then uses getword to fill it with user supplied data:
getword(w,cl,'=');
Get word is defined as:
void getword(char *word, char *line, char stop) {
int x = 0,y;
for(x=0;((line[x]) && (line[x] != stop));x++)
word[x] = line[x];
word[x] = '\0';
if(line[x]) ++x;
y=0;
while(line[y++] = line[x++]);
}
As you can see it does no bounds checking. Lucky for them that main
calls exit before returning or you would have a nice buffer overflow.
This code should be studied as an example of how NOT to write secure
programs.
Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
