Bugtraq mailing list archives
"Cthulhu xhAze" - Command execution in Ans.pl
From: "b0iler _" <b0iler () hotmail com>
Date: Thu, 21 Feb 2002 00:57:46 -0700
#!/exploit/by/b0iler # script name: Ans.PL # Primary author of script: Avenger # script url: http://ans.gq.nu/"Avenger's News System (ANS) is a PERL-based solution to creating an easy-to-update and easy-to-maintain web site. Instead of constantly uploading new news pages and wrestling with HTML, you can post stuff via a web-based form."
The variable $QUERY is defined in the config file as: <define QUERY>"$ENV{'QUERY_STRING'}"When the script is ran it checks for a post, then it checks for a plugin. The problem is in the plugin subroutine:
if (substr($QUERY, 0, 2) eq "p=") { $plugin = substr((split /&/, $QUERY)[0], 2); if (index("$QUERY", "&") < 0) { $QUERY = ""; }else { $QUERY = substr($QUERY, index("$QUERY", "&")+1); }
open (PLUGIN, "$FILE_LOCATION/$plugin"); @plugin = <PLUGIN>; close (PLUGIN); eval("@plugin"); exit; } No input filtering is done on user input so command execution is possible. Exploit: ans.pl?p=../../../../bin/command argument|&blah Fix: Filter meta characters, .., and use < << > >> when calling open(). replace above code with this: if (substr($QUERY, 0, 2) eq "p="){$QUERY =~ s/([\&;\`'\\\|"*?~<>^\(\)\[\]\{\}\$\n\r])/\\$1/g; #filter meta characters
$QUERY =~ s/\.\.//g; #filter double dot (..) $plugin = substr((split /&/, $QUERY)[0], 2); if (index("$QUERY", "&") < 0) { $QUERY = ""; } else { $QUERY = substr($QUERY, index("$QUERY", "&")+1); }open (PLUGIN, "<$FILE_LOCATION/$plugin"); #added a < to the open() - readonly
@plugin = <PLUGIN>; close (PLUGIN); eval("@plugin"); exit; } I attempted to contact the author on 2/1/02 but they haven't responded. _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
Current thread:
- "Cthulhu xhAze" - Command execution in Ans.pl b0iler _ (Feb 21)