[18445] in bugtraq
Metacharacterbug in Fastgraf whois.cgi
daemon@ATHENA.MIT.EDU (Marco van Berkum)
Fri Jan 5 15:25:40 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <3A55B8E1.A9868CEE@obit.nl>
Date: Fri, 5 Jan 2001 13:06:57 +0100
Reply-To: m.v.berkum@obit.nl
From: Marco van Berkum <m.v.berkum@OBIT.NL>
To: BUGTRAQ@SECURITYFOCUS.COM
Metacharacterbug in the Fastgraf whois.cgi perlscript
-----------------------------------------------------
Author : Fastgraf (c) All rights reserved.
url : http://www.fastgraf.com
realeasedate : 03/01/99
Problem:
The whois.cgi script of Fastgraf has almost no metacharcterchecking
which enables attackers to execute commands as uid of the webserver.
The metacharcterbug in the script:
$FORM{'host'} =~ s/(\;)//g;
As you can see only the ";" gets deleted. So attackers are still able
to use pipes, redirectioncharacters and so on.
Solution:
Change the filtering to:
$FORM{'host'} =~ s/(\W)/\\$1/g;
The author has been notified to correct this problem.
grtz,
Marco van Berkum
------------------------------------------------------------
Sex is like hacking. You get in, you get out,
and you hope you didn't leave something behind
that can be traced back to you.
Marco van Berkum, System Operator/Security Analyst OBIT b.v.
RIPEHANDLE: MB17300-RIPE
