httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jennifer Myers <jmy...@marigold.eecs.nwu.edu>
Subject Re: util.c hole and speed of security patch release
Date Thu, 25 Apr 1996 19:36:21 GMT

> On Thu, 25 Apr 1996, Dirk.vanGulik wrote:
> > I am not sure if I am right, but if I try plugging that hole
> > I seem to loose the newlines in my forms, i.e. from a textarea
> > or some fancy hidden field. Insofar as I can see this is not
> > a hole but an essential feature; and it is bad cgi programming 
> > which might cause problems.
> > 
> > Or am I editing the wrong escape sequence ?
> 
> Talking about src/util.c:
> 
> Don't the newlines get encoded to %0A by the client before submission?  
> If so, then stripping '\n' before passing data on to the CGI script 
> should be fine, because the decoding from %0A to '\n' happens in the CGI 
> script itself, and only the CGI script can check it for validity.

IMHO, there is no real bug in src/util.c (for reasons I detailed
earlier: escape_shell_cmd() seems a relic from htbin days in which the
server was kind enough to escape shell meta-characters from SSI execs
and the argv sent to htbin/CGI scripts).  In fact, one might go so far
as to junk the usage of escape_shell_cmd() entirely within the httpd
source.  (Though, maybe I'm missing something, I'm not all to familiar
with the httpd code).

I certainly think it is safe *not* to patch src/util.c to escape
newlines.  Maybe later I'll look at the implications of adding /n to
escape_shell_cmd() (or maybe someone already has?) in terms of what it
breaks.

The only exploit of this that I can think of comes about through usage
of a insecure CGI script: one that assumes that argv has all its shell
meta-characters already escaped and proceeds to pass that string to a
shell.  (Incidentally, httpd also "dehexifies" argv before passing it
to the CGI script; this is why you can embed %0A in the URL and have
it be translated to /n in the argv sent to a CGI script).

Incidentally, I wrote to NASIRC yesterday (the originators of this
latest advisory) and they informed me that they noted the
presence of the same escape_shell_cmd() code in src/util.c as in
cgi-src/util.c, but did not examine the source code any further to
determine whether there was actually any vulnerability there.
(Seems that they really jumped the gun in posting the advisory.)

I detailed one possible vulnerability in my earlier posting, but since
none of the cgi-src/cgi-bin code distributed by Apache fits those
criteria (and seems to be slated for deletion anyway), nor would any
reasonable CGI script contain this vulnerability: and if it did, the
fault and the fix ought to be in the CGI script.  (CGI writers really
shouldn't trust argv to be escaped -- Is it documented that it is?;
also, is argv regularly used in modern CGI programs?).

--
Jennifer Myers				http://www.eecs.nwu.edu/~jmyers/


Mime
View raw message