<<< Date Index >>>     <<< Thread Index >>>

Re: Jason Maloney's CGI Guestbook Remote Command Execution Vulnerability.



On Mon, Dec 01, 2003 at 06:26:32PM +0000, Shaun Colley wrote:

[SNIP] 

> Here is the error-prone code:
> 
> 
> ###################### CUT HERE ######################
> 
> ############################################################
> #Don't touch, these are necessary to run the script!
> $mailprog = '/usr/lib/sendmail';
> $entry = 1;
> $allow = 1;
> $date_command = "/usr/bin/date";
> ############################################################
> $date = `$date_command +"%B %d, %Y"`; chop($date);
> 
> read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
> @pairs = split(/&/, $buffer);
> foreach $pair (@pairs) {
>    ($name, $value) = split(/=/, $pair);
>    $value =~ tr/+/ /;
>    $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",
> hex($1))/eg;
>    $value =~ s/<!--(.|\n)*-->//g;
> 
>    if ($allow != 1) {
>       $value =~ s/<([^>]|\n)*>//g;
>    }
> 
>    $FORM{$name} = $value;
> }
> ###################### CUT HERE ######################
> 
> The above code trustingly reads in data from the
> user's HTTP POST request (their submission of a
> guestbook post), assigning all values to variables
> specified in the POST request.  Due to bad user input
> checking, the user could easily change the value of a
> variable holding the path of a program to be opened as
> a pipe, such as $mailprog.  $mailprog holds the path
> of the sendmail application, and could be changed to
> an arbitrary program depending upon the attacker's
> desire.

No, the user could easily change $FORM{'mailprog'}, but there's
nothing in the code above that could change $mailprog itself.

This is a false alarm.

--
Nick Cleaton
nick@xxxxxxxxxxx