May SysAdmin man.sh security hole

[aleph1 () NATIONWIDE NET (Aleph One)]

---------- Forwarded message ----------
Date: Fri, 15 May 1998 11:28:07 -0700
From: Robert Moniot <moniot () pascal dsm fordham edu>
Subject: May SysAdmin man.sh security hole
Newsgroups: comp.security.unix


The May 1998 issue of SysAdmin Magazine contains an article,
"Web-Enabled Man Pages", which includes source code for very nice cgi
script named man.sh to feed man pages to a web browser.  The hypertext
links to other man pages are an especially attractive feature.

Unfortunately, this script is vulnerable to attack.  Essentially,
anyone who can execute the cgi thru their web browser can run any
system commands with the user id of the web server and obtain the
output from them in a web page.

I have notified the author, and he has undertaken to replace the code
posted on the www.samag.com website with corrected code, but in the
meantime here is a patch that I believe closes the security hole.

48,49c48,50
<           sub(/\=/, "=\"", x)
<           sub(/$/, "\"", x)
 ---
>           gsub(/[^-_=+%a-zA-Z0-9]/, ".", x)   # strip out any funny chars
>           sub(/\=/, "='"'"'", x)              # quote rhs in apostrophes
>           sub(/$/, "'"'"'", x)
51,52c52,53
<           gsub(/\+/, " ", x)
<           print x
 ---
>           gsub(/\+/, " ", x)                  # change + to space
>           if( x ~ /^(man|srch)=/ ) print x