Vulnerability Development mailing list archives
Re: CGIs running on Windows
From: Nik Cubrilovic <Nik () JIGSAW COM AU>
Date: Wed, 11 Oct 2000 14:48:15 +1000
CGI holes on Windows servers are just as common as they are on *nix web servers. If user-input is not filtered and is passed to a file open function, ..\ 's can be used to transverse up directories and access system files (see showcode.asp as an example of this) Unfiltered user input that is passed into SQL queries is also common, such as the following example of some ASP code to open a recordset to be used to authenticate a user. RECORDSET.Source = "SELECT * FROM users WHERE username='"&request.querystring("username")&"' and password='"&request.querystring("password")"'" all that we need to do to exploit this hole and bypass login is to pass in the following username/password values: username: 1 password: 1' or pass <> 1' such as requesting http://www.server.com/login.asp?username=1&password=1%27+or+pass+%3C%3E+%271 from the code above, this would put together the following SQL to be exected RECORDSET.Source = "SELECT * FROM users WHERE username='1' and password='1 or pass <> '1'" which of course, will return all data. With more and more IIS holes apearing that enable remote attackers to view CGI (ASP) source code, its becoming even easier to find these holes and exploit them. A quick fix would be to filter all user input, and check lenghts etc (example in ASP again). Dim password password = request.querystring("password") if len(password) > 8 then password = left(password,8) if instr(1, password, " ") <> 0 then password = "" if instr(1, password, "/") <> 0 then password = "" you could also write functions to explicitly allow only alphanumeric input, or the VBScript RegExp (Regular Expression) object to scan the string in a similar way. -Nik Cubrilovic -Wiretapped -black.wiretapped.net -----Original Message----- From: - Evil To: VULN-DEV () SECURITYFOCUS COM Sent: 9/10/00 21:57 Subject: CGIs running on Windows Since we have been discussing CGIs here, I would like to address a certain issue. We all know how dangerous CGI scripts can be - and we have seen many examples of it - and will for a long time. However it seems like the authors of CGIs take security less seriously if their script is meant for Windows - i.e. when doing open's. Does this mean that a: open FILE, "$some_user_controllable_input; is secure on a machine running Windows? At least on machine running *nix it would be a big security hole. thanks!
Current thread:
- CGIs running on Windows - Evil (Oct 09)
- Re: CGIs running on Windows Bluefish (P.Magnusson) (Oct 10)
- Re: CGIs running on Windows Joe (Oct 10)
- <Possible follow-ups>
- Re: CGIs running on Windows Nik Cubrilovic (Oct 10)