[32658] in bugtraq
Re: Jason Maloney's CGI Guestbook Remote Command Execution Vulnerability.
daemon@ATHENA.MIT.EDU (Nick Cleaton)
Wed Dec 3 14:35:59 2003
Date: Wed, 3 Dec 2003 14:41:18 +0000
From: Nick Cleaton <nick@cleaton.net>
To: Shaun Colley <shaunige@yahoo.co.uk>
Cc: bugtraq@securityfocus.com
Message-ID: <20031203144118.GJ46019@lt1.cleaton.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20031201182632.46266.qmail@web25105.mail.ukl.yahoo.com>
On Mon, Dec 01, 2003 at 06:26:32PM +0000, Shaun Colley wrote:
[SNIP]
> Here is the error-prone code:
>
>
> ###################### CUT HERE ######################
>
> ############################################################
> #Don't touch, these are necessary to run the script!
> $mailprog = '/usr/lib/sendmail';
> $entry = 1;
> $allow = 1;
> $date_command = "/usr/bin/date";
> ############################################################
> $date = `$date_command +"%B %d, %Y"`; chop($date);
>
> read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
> @pairs = split(/&/, $buffer);
> foreach $pair (@pairs) {
> ($name, $value) = split(/=/, $pair);
> $value =~ tr/+/ /;
> $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
> hex($1))/eg;
> $value =~ s/<!--(.|\n)*-->//g;
>
> if ($allow != 1) {
> $value =~ s/<([^>]|\n)*>//g;
> }
>
> $FORM{$name} = $value;
> }
> ###################### CUT HERE ######################
>
> The above code trustingly reads in data from the
> user's HTTP POST request (their submission of a
> guestbook post), assigning all values to variables
> specified in the POST request. Due to bad user input
> checking, the user could easily change the value of a
> variable holding the path of a program to be opened as
> a pipe, such as $mailprog. $mailprog holds the path
> of the sendmail application, and could be changed to
> an arbitrary program depending upon the attacker's
> desire.
No, the user could easily change $FORM{'mailprog'}, but there's
nothing in the code above that could change $mailprog itself.
This is a false alarm.
--
Nick Cleaton
nick@cleaton.net
