BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Famous last words: "surely this CGI script is safe"

Subject: Famous last words: "surely this CGI script is safe"
From: scottprive at earthlink.net (Scott Prive)
Date: Mon, 31 Mar 2003 18:04:02 -0500
References: <1049147119.602.11.camel@belladonna>

1) You accept a string, from HTTP_REFERRER.
2) You take that string, and use it as part of two bash commands.

This doesn't look very safe. :-)

Properly-escaped $HTTP_REFERER string could confuse the bash code enough
that your script can overwrite local files. Or maybe read and pipe data you
don't want it to (/etc/passwd, your .bash_history, etc.). Nothing here
prevents an overflow string (say, a 2000 byte HTTP_REFER) from occuring. You
could break this right now by sending a HTTP_REFERER that contains a space.
It wouldn't matter to your script if spaces aren't "allowed" in REFERER
strings...

I'd suggest avoiding bash altogether because it has weak security and weak
string management. Perl (also PHP) is no magic bullet, but there's a lot
more reference material for securing Perl scripts. Take a look on
Freshmeat.net for some referrer loggers, etc., and see if there are any
safeguards you could copy.

If I were a little better at security (or had more time) I'd reply with an
example script that Does Bad Things, so take this with a grain of salt..

-Scott

----- Original Message -----
From: "Seth Gordon" <sethg at ropine.com>
To: <discuss at blu.org>
Sent: Monday, March 31, 2003 4:45 PM
Subject: Famous last words: "surely this CGI script is safe"


> I've composed this CGI shell script as an example of backlink-tracing:
>
> [begin]
> #!/bin/bash
>
> echo "Content-type: text/plain"
> echo
>
> # If the linking page isn't in the referers file, add it.
> grep --quiet $HTTP_REFERER referers || echo $HTTP_REFERER >> referers
>
> echo
> echo "Links to this page have been followed from the following URLs:"
> echo
> cat referers
> [end]
>
> Other than filling up my partition with spurious URLs, is there any
> damage that a malicious outsider could do with this script?
>
> --
> "Your labour is only worth something to the extent that it saves someone
> else having to do it."  --Paul Foley
> // seth gordon // sethg at ropine.com // http://ropine.com/sethg/cv.html //
>
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss

References:
- Famous last words: "surely this CGI script is safe"
  - From: sethg at ropine.com (Seth Gordon)

Prev by Date: Famous last words: "surely this CGI script is safe"
Next by Date: Fwd: Red Hat Linux 9 -- Get it Early
Previous by thread: Famous last words: "surely this CGI script is safe"
Next by thread: LinModems ... what to do?
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org