Full Disclosure mailing list archives
TINYURL - A powerful tool just got more powerful
From: gobus () hmj com
Date: Fri, 7 May 2004 07:37:41 -0400 (EDT)
Overview: --------- After sending huge urls to friends on one to many occasions (at least they *tell* me they are my friends), they finally got together and convinced me to use Tinyurl. While it seemed at first glance to be a powerful tool, and a great free service, something struck me odd about it. The potential for abuse here was just too great to go unchecked. After deep, introspective thought, I have decided that I firmly believe, "Tinyurl is the Devil". Problem: -------- Great service, but if you were coding it, would you really allow unlimited, free-form urls? I suggest you pray on it. I have, and I wouldn't. Friends, input validation is not to be feared. Come to the Light. Fix: ---- What did I not make clear above? Anyways, you aren't really even reading this anymore, are you? You already snuck a peek and saw that there is PoC code below. You really don't care about me or my advisory, do you? *sob* :D <-------------- begin crufty PoC code --------------> #!/usr/bin/perl # # (c) 2004 all rights reserved by :D # # God bless and keep you from Tinyurl # # Props to AG, JW, IG, RH, BH & EU # use strict; use LWP::UserAgent; use HTTP::Response; use HTTP::Request::Common; use MIME::Base64; # path to curl binary sub CURL {'/usr/bin/curl '} # dispatch commands ($ARGV[0] eq 'get')&&($#ARGV==2)&&get($ARGV[1],$ARGV[2]); ($ARGV[0] eq 'put')&&($#ARGV==1)&&put($ARGV[1]); # usage print<<EOF; Usage $0: [get|put] filename [url] Use tinyurl.com as a filesystem. Example: $0 put foo.tgz $0 get foo.tgz 2ghmz put Create a new file on tinyurlfs get Retrieve a file from tinyurlfs EOF # retrieve a file sub get { my $filename = shift; my $url = shift; print "\n---> GET [".$filename."] URL [".$url."]\n"; my $base64 = _get_tinyurl($url); open(FILE, '>', $filename); binmode FILE; print FILE decode_base64($base64); close FILE; exit(); } # upload a file sub put { my $filename = shift; print "\n---> PUT [$filename]\n"; my $url = _put_tinyurl($filename); print "---> URL [".$url."]\n"; exit(); } sub _get_tinyurl { my $url = shift; # nasty, nasty, nasty HACK, but LWP wasn't playing nice here open (RESPONSE, CURL.'http://unicyclist.com/tinyurl/redirect.php?num='.$url.' |'); my @out = <RESPONSE>; chomp @out; my $joined = join('',@out); $joined =~ s/Location: http:\/\///; return $joined; } sub _put_tinyurl { my $filename = shift; my $ua = LWP::UserAgent->new(); my $raw; open(FILE,$filename); binmode(FILE); while(<FILE>) { $raw.=$_; } my $base64 = encode_base64($raw); my $re = '<blockquote>(http://tinyurl\.com/.*?)</blockquote>'; my $response = $ua->request( POST 'http://tinyurl.com/create.php',[ url => $base64 ] ); if ($response->is_success and $response->content =~ /$re/) { my $url = $1; $url =~ s/http:\/\/tinyurl.com\///g; return $url } die("unable to upload ".$filename); } <-------------- end crufty PoC code --------------> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- TINYURL - A powerful tool just got more powerful gobus (May 07)