TINYURL - A powerful tool just got more powerful

[gobus () hmj com]

Overview:
---------
After sending huge urls to friends on one to many occasions (at least they
*tell* me they are my friends), they finally got together and convinced me
to use Tinyurl. While it seemed at first glance to be a powerful tool, and
a great free service, something struck me odd about it. The potential for
abuse here was just too great to go unchecked. After deep, introspective 
thought, I have decided that I firmly believe, "Tinyurl is the Devil".

Problem:
--------
Great service, but if you were coding it, would you really allow unlimited, 
free-form urls? I suggest you pray on it. I have, and I wouldn't. Friends,
input validation is not to be feared. Come to the Light.

Fix:
----
What did I not make clear above? Anyways, you aren't really even reading 
this anymore, are you? You already snuck a peek and saw that there is PoC 
code below. You really don't care about me or my advisory, do you? *sob*

:D

<-------------- begin crufty PoC code -------------->

#!/usr/bin/perl
#
# (c) 2004 all rights reserved by :D
# 
# God bless and keep you from Tinyurl
#
# Props to AG, JW, IG, RH, BH & EU
#
use strict;
use LWP::UserAgent;
use HTTP::Response;
use HTTP::Request::Common;
use MIME::Base64;

# path to curl binary
sub CURL {'/usr/bin/curl '}

# dispatch commands
($ARGV[0] eq 'get')&&($#ARGV==2)&&get($ARGV[1],$ARGV[2]);
($ARGV[0] eq 'put')&&($#ARGV==1)&&put($ARGV[1]);        

# usage
print<<EOF;
Usage $0: [get|put] filename [url]
Use tinyurl.com as a filesystem.
Example: $0 put foo.tgz
         $0 get foo.tgz 2ghmz

  put           Create a new file on tinyurlfs
  get           Retrieve a file from tinyurlfs

EOF

# retrieve a file
sub get {
        my $filename = shift;
        my $url = shift;
        print "\n---> GET [".$filename."] URL [".$url."]\n";
        my $base64 = _get_tinyurl($url);
        open(FILE, '>', $filename);
        binmode FILE;
        print FILE decode_base64($base64);
        close FILE;
        exit();
}

# upload a file
sub put {
        my $filename = shift;
        print "\n---> PUT [$filename]\n";
        my $url = _put_tinyurl($filename);
        print "---> URL [".$url."]\n";
        exit();
}

sub _get_tinyurl {
        my $url = shift;
        # nasty, nasty, nasty HACK, but LWP wasn't playing nice here
        open (RESPONSE, CURL.'http://unicyclist.com/tinyurl/redirect.php?num='.$url.&apos; |');
        my @out = <RESPONSE>;
        chomp @out;
        my $joined = join('',@out);
        $joined =~ s/Location: http:\/\///;
        return $joined;
}

sub _put_tinyurl {
        my $filename = shift;
        my $ua = LWP::UserAgent->new();
        my $raw;
        open(FILE,$filename);
        binmode(FILE);
        while(<FILE>) {
                $raw.=$_;
        }
        my $base64 = encode_base64($raw);
        my $re = '<blockquote>(http://tinyurl\.com/.*?)</blockquote>';
        my $response = $ua->request( POST 'http://tinyurl.com/create.php&apos;,[ url => $base64 ] );
        if ($response->is_success and $response->content =~ /$re/) {
                my $url = $1;
                $url =~ s/http:\/\/tinyurl.com\///g;
                return $url
        }
        die("unable to upload ".$filename);
}

<-------------- end crufty PoC code -------------->

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html