Re: Vulnerability in Glimpse HTTP

Brian Gentry (gentry@USACCESS-INC.COM)
Wed, 02 Jul 1997 13:52:52 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Holger Kanzog: "Re: Cleartext Password display in NS Communicator"
Previous message: Fred Albrecht: "Cleartext Password display in NS Communicator"
Maybe in reply to: Razvan Dragomirescu: "Vulnerability in Glimpse HTTP"
Next in thread: Jean-Christophe Touvet: "Re: Vulnerability in Glimpse HTTP"

Hi all,

I was upset to learn that a site I manage had this script installed
and *was* vulnerable. I've fixed this problem and scanned through
the remaining code for other vulnerabilities like this one. I
think this was the only insecure open, exec, or system call made.

The fix is below.

On Wed, Jul 02, 1997 at 07:32:09PM +0300, Razvan Dragomirescu wrote:
> Hi,
>
> I'm back with another vulnerability, this time in a small utility: Glimpse
> HTTP which is an interface to the Glimpse search tool. It is written in
> PERL.
>
> First my congratulations to the authors. They've done a really great job
> in securing the program (really, I mean it). The hole I exploited is a
> small one but it can allow you to execute any command on the remote
> system (as the owner of the http server).
>
> Allow me to quote from the source (I'm sure I have the latest version, I
> downloaded it 1 hour ago :) ).
>
> --begin--
>
> $path_info = $ENV{'PATH_INFO'};
> $_ = $path_info;
>
> # /<length>/$indexdir/$path is the format of the PATH_INFO
>
> # might as well start the message now print "Content-type: text/html\n\n";
> print "<HTML>\n"; print "<HEAD>\n";
>
> if ( m|^/([0-9]*)(.*)$| ) {
> $length = $1;
> $path = $2;
> $path =~ s|"||g; } else {
> &err_badargs; }
>
> $indexdir = substr($path,0,$length);
> $relpath = substr($path,$length,length($path));
>
> # print "<br>indexdir=$indexdir<br>relpath=$relpath<br>";
>

As the poster pointed out, the "open(..." line below is the problem.
If we simply look for shell metacharacters and exit if we find any,
the security problem is abated. Here's the code I used to do this.
Insert this code directly above the open line below. In fact, the
code goes exactly where I have it placed in this message.

if($indexdir =~ tr/;<>*|`&$!#()[]{}:'"//) {
print "<H1>Evil characters found! Exiting.</H1>";
exit(1);
}

> open(CONF,"$indexdir/archive.cfg") || &err_conf;
>
> --end--

I had seen this tr "test" before and went looking for it. I found it in
a pretty good tutorial on cgi security. You can read it at:

http://www.go2net.com/people/paulp/cgi-security/safe-cgi.txt

Brian L. Gentry

Next message: Holger Kanzog: "Re: Cleartext Password display in NS Communicator"
Previous message: Fred Albrecht: "Cleartext Password display in NS Communicator"
Maybe in reply to: Razvan Dragomirescu: "Vulnerability in Glimpse HTTP"
Next in thread: Jean-Christophe Touvet: "Re: Vulnerability in Glimpse HTTP"