Vulnerability Development mailing list archives

Re: CGIs running on Windows

From: Nik Cubrilovic <Nik () JIGSAW COM AU>
Date: Wed, 11 Oct 2000 14:48:15 +1000

CGI holes on Windows servers are just as common as they are on *nix web
servers. If user-input is not filtered and is passed to a file open
function, ..\ 's can be used to transverse up directories and access system
files (see showcode.asp as an example of this)

Unfiltered user input that is passed into SQL queries is also common, such
as the following example of some ASP code to open a recordset to be used to
authenticate a user.

RECORDSET.Source = "SELECT * FROM users WHERE
username='"&request.querystring("username")&"' and
password='"&request.querystring("password")"'"

all that we need to do to exploit this hole and bypass login is to pass in
the following username/password values:

username: 1
password: 1' or pass <> 1'

such as requesting

http://www.server.com/login.asp?username=1&password=1%27+or+pass+%3C%3E+%271

from the code above, this would put together the following SQL to be exected

RECORDSET.Source = "SELECT * FROM users WHERE username='1' and password='1
or pass <> '1'"

which of course, will return all data.

With more and more IIS holes apearing that enable remote attackers to view
CGI (ASP) source code, its becoming even easier to find these holes and
exploit them.

A quick fix would be to filter all user input, and check lenghts etc
(example in ASP again).

Dim password
password = request.querystring("password")
if len(password) > 8 then password = left(password,8)
if instr(1, password, " ") <> 0 then password = ""
if instr(1, password, "/") <> 0 then password = ""

you could also write functions to explicitly allow only alphanumeric input,
or the VBScript RegExp (Regular Expression) object to scan the string in a
similar way.

-Nik Cubrilovic
-Wiretapped
-black.wiretapped.net

-----Original Message-----
From: - Evil
To: VULN-DEV () SECURITYFOCUS COM
Sent: 9/10/00 21:57
Subject: CGIs running on Windows

Since we have been discussing CGIs here, I would like
to address
a certain issue. We all know how dangerous CGI scripts
can
be - and we have seen many examples of it - and will
for a
long time. However it seems like the authors of CGIs
take
security less seriously if their script is meant for
Windows
- i.e. when doing open's. Does this mean that a:

open FILE, "$some_user_controllable_input;

is secure on a machine running Windows? At least on
machine
running *nix it would be a big security hole.

thanks!

Current thread:

CGIs running on Windows - Evil (Oct 09)
- Re: CGIs running on Windows Bluefish (P.Magnusson) (Oct 10)
- Re: CGIs running on Windows Joe (Oct 10)
- <Possible follow-ups>
- Re: CGIs running on Windows Nik Cubrilovic (Oct 10)