[8664] in bugtraq
Re: Security bugs in Excite for Web Servers 1.1
daemon@ATHENA.MIT.EDU (Andrew Pitman)
Thu Dec 3 11:21:55 1998
Date: Tue, 1 Dec 1998 17:57:47 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Andrew Pitman <ap1@TORCH.ROWAN.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199812011641.MAA04487@server.solutioninc.com>
On Tue, 1 Dec 1998, Gurjeet Clair wrote:
> Today I saw <Michael Gerdts> say:
>
> > On November 11 I reported the folloing problmes to ewsbugs@excite.com. I
> > have only recieved an automated reply.
Hmmmmm.....
>
> sub make_files_readwriteable {
> local($files) = @_;
> return 1 if ($ews_port eq 'NT');
> return system("/bin/chmod a+rw $files"); <---- EVIL!
> }
>
> Ahh, theres the litte culprit right there! The "chmod a+rw $files". Well
> one fix is to use "chmod 0600 $file" (i think u+rw) OR not use the system call
The problem (I think) is that user data ($files) is allowed to be parsed
by the shell before /bin/chmod touches it. This is dangerous, since they
can make $files be something like "filename; some command here" or even
"`some command here`". Under sh or bash, "some command here" _would_ get
run as the user the webserver is running as..... I could be mistaken,
though, as I haven't looked at the rest of the source. This kind of thing
would be OK if all non-alphanumeric, non-period, and non-dash characters
were filtered out using tr or some such.
> itself and use the built in perl functions to set permissions. Of course this
> only creates the permissions as the user that the webserver runs as.
I question why the author didn't just use the Perl builtin function
chmod().... Or, system with the fields separated by commas:
system "/bin/chmod", "a+rw", $files; # This would be OK since it
# doesn't use sh.
At any rate, why was the file being made world writable anyway?
Andrew
--
"The wonderful thing about standards is that there are so
many to choose from."
(Andrew S. Tanenbaum)
-------------------------------------------------------------
Andrew Pitman MIS
Unix System Administrator Rowan University
-------------------------------------------------------------