[8664] in bugtraq

home help back first fref pref prev next nref lref last post

Re: Security bugs in Excite for Web Servers 1.1

daemon@ATHENA.MIT.EDU (Andrew Pitman)
Thu Dec 3 11:21:55 1998

Date: 	Tue, 1 Dec 1998 17:57:47 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Andrew Pitman <ap1@TORCH.ROWAN.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To:  <199812011641.MAA04487@server.solutioninc.com>

On Tue, 1 Dec 1998, Gurjeet Clair wrote:

> Today I saw <Michael Gerdts> say:
>
> > On November 11 I reported the folloing problmes to ewsbugs@excite.com.  I
> > have only recieved an automated reply.

Hmmmmm.....

>
> sub make_files_readwriteable {
>     local($files) = @_;
>     return 1 if ($ews_port eq 'NT');
>     return system("/bin/chmod a+rw $files"); <---- EVIL!
> }
>
> Ahh, theres the litte culprit right there! The "chmod a+rw $files".  Well
> one fix is to use "chmod 0600 $file" (i think u+rw) OR not use the system call

The problem (I think) is that user data ($files) is allowed to be parsed
by the shell before /bin/chmod touches it.  This is dangerous, since they
can make $files be something like "filename; some command here" or even
"`some command here`".  Under sh or bash, "some command here" _would_ get
run as the user the webserver is running as.....  I could be mistaken,
though, as I haven't looked at the rest of the source.  This kind of thing
would be OK if all non-alphanumeric, non-period, and non-dash characters
were filtered out using tr or some such.

> itself and use the built in perl functions to set permissions.  Of course this
> only creates the permissions as the user that the webserver runs as.

I question why the author didn't just use the Perl builtin function
chmod()....  Or, system with the fields separated by commas:

       system "/bin/chmod", "a+rw", $files;  # This would be OK since it
                                             # doesn't use sh.

At any rate, why was the file being made world writable anyway?

Andrew
--
  "The wonderful thing about standards is that there are so
   many to choose from."
                                        (Andrew S. Tanenbaum)
-------------------------------------------------------------
  Andrew Pitman                           MIS
  Unix System Administrator               Rowan University
-------------------------------------------------------------

home help back first fref pref prev next nref lref last post