Re: Serious Hole in Comment/Discussion CGI Script

[Joe <joe () blarg net>]

On Thu, 26 Oct 2000, Vitaly McLain wrote:

> Hi,
>
> I am not too good with Perl, but I think I see potential for some
> exploitation here.
> You said you were able to open text-files because of...
>
> open(FILE, "commentdata/$article.txt");
>
> Does the script parse out any metacharachters from $article? If it does not,
> then it has major problems.
> The direct avenue of attack would be to try directory transversal, i.e
> trying to view a file like ../../../../../etc/passwd. Obviously this won't
> work, because there will be a .txt appended to passwd, and that is why you
> should try that "null trick" you mentioned. Append a %00 to the end, which
> should confuse Perl into only seeing the /etc/passwd part when opening the
> script (see Phrack #55 for more info.)

Null byte only works if the script decodes the url-encoded characters in the
query string, which the script is not doing. Hence, although you can grab
any '.txt' file, there's no way to inject control characters or whitespace
into the query string, which limits the damage you can do.

The open() call can be injected with a pipe ('|') to execute commands, but
without whitespace to work with there's not much you can do with it.

I think there's a happy accident here - the script-author obviously didn't
care enough to decode the query string, thereby -accidentaly- preventing the
script from being able to do serious damage.

--
Joe                                     Technical Support
General Support:  support () blarg net     Blarg! Online Services, Inc.
Voice:  425/401-9821 or 888/66-BLARG    http://www.blarg.net