Bugtraq mailing list archives
Re: Vulnerability in Glimpse HTTP
From: gentry () USACCESS-INC COM (Brian Gentry)
Date: Wed, 2 Jul 1997 13:52:52 -0400
Hi all, I was upset to learn that a site I manage had this script installed and *was* vulnerable. I've fixed this problem and scanned through the remaining code for other vulnerabilities like this one. I think this was the only insecure open, exec, or system call made. The fix is below. On Wed, Jul 02, 1997 at 07:32:09PM +0300, Razvan Dragomirescu wrote:
Hi, I'm back with another vulnerability, this time in a small utility: Glimpse HTTP which is an interface to the Glimpse search tool. It is written in PERL. First my congratulations to the authors. They've done a really great job in securing the program (really, I mean it). The hole I exploited is a small one but it can allow you to execute any command on the remote system (as the owner of the http server). Allow me to quote from the source (I'm sure I have the latest version, I downloaded it 1 hour ago :) ). --begin-- $path_info = $ENV{'PATH_INFO'}; $_ = $path_info; # /<length>/$indexdir/$path is the format of the PATH_INFO # might as well start the message now print "Content-type: text/html\n\n"; print "<HTML>\n"; print "<HEAD>\n"; if ( m|^/([0-9]*)(.*)$| ) { $length = $1; $path = $2; $path =~ s|"||g; } else { &err_badargs; } $indexdir = substr($path,0,$length); $relpath = substr($path,$length,length($path)); # print "<br>indexdir=$indexdir<br>relpath=$relpath<br>";
As the poster pointed out, the "open(..." line below is the problem. If we simply look for shell metacharacters and exit if we find any, the security problem is abated. Here's the code I used to do this. Insert this code directly above the open line below. In fact, the code goes exactly where I have it placed in this message. if($indexdir =~ tr/;<>*|`&$!#()[]{}:'"//) { print "<H1>Evil characters found! Exiting.</H1>"; exit(1); }
open(CONF,"$indexdir/archive.cfg") || &err_conf; --end--
I had seen this tr "test" before and went looking for it. I found it in a pretty good tutorial on cgi security. You can read it at: http://www.go2net.com/people/paulp/cgi-security/safe-cgi.txt Brian L. Gentry
Current thread:
- Vulnerability in Glimpse HTTP Razvan Dragomirescu (Jul 02)
- Re: Vulnerability in Glimpse HTTP Brian Gentry (Jul 02)
- Re: Vulnerability in Glimpse HTTP Jean-Christophe Touvet (Jul 03)
- Re: Vulnerability in Glimpse HTTP Paul Phillips (Jul 08)
- Re: Vulnerability in Glimpse HTTP Oliver Friedrichs (Jul 09)
- CERT Vendor-Initiated Bulletin VB-97.05 - Vul in Lynx Temporary Nicolas Dubee (Jan 01)
- Re: Vulnerability in Glimpse HTTP Martin Pool (Jul 10)
- It's not over yet. Aleph One (Jul 11)
- It's not over yet. Manley, Jim W (Jul 11)
- More information about JavaScript bug Dominick Matthias PN OIL 6 (Jul 11)
- new post SP3 hotfix: lm-fix Alex Libenson (Jul 12)
- Minor PGP vulnerability Harald Weidner (Jul 15)
- Re: Vulnerability in Glimpse HTTP Brian Gentry (Jul 02)