Re: Vulnerability in Glimpse HTTP

Jean-Christophe Touvet (jct@EDELWEB.FR)
Thu, 03 Jul 1997 12:17:43 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Oskar Pearson: "Re: Cleartext Password display in NS Communicator"
Previous message: Aaron Campbell: "ircd exploit"
Maybe in reply to: Razvan Dragomirescu: "Vulnerability in Glimpse HTTP"
Next in thread: Paul Phillips: "Re: Vulnerability in Glimpse HTTP"

> As the poster pointed out, the "open(..." line below is the problem.
> If we simply look for shell metacharacters and exit if we find any,
> the security problem is abated. Here's the code I used to do this.
> Insert this code directly above the open line below. In fact, the
> code goes exactly where I have it placed in this message.
>
> if($indexdir =~ tr/;<>*|`&$!#()[]{}:'"//) {
> print "<H1>Evil characters found! Exiting.</H1>";
> exit(1);
> }

There is at least one very dangerous shell metacharacter missing in this list.
As said in the tutorial where you found this code fragment, the security
policy should be "that which is not expressly permitted is forbidden". It's
much safer to use the "complement" of a set of allowed chars, for example:

$indexdir =~ tr/a-zA-Z0-9//cd;

if ($indexdir =~ /[^a-zA-Z0-9]/) {
print "<H1>Evil characters found! Exiting.</H1>";
die "Warning ",$ENV{REMOTE_HOST},": $indexdir\n";
}

> > open(CONF,"$indexdir/archive.cfg") || &err_conf;
> >
> > --end--
>
> I had seen this tr "test" before and went looking for it. I found it in
> a pretty good tutorial on cgi security. You can read it at:
>
> http://www.go2net.com/people/paulp/cgi-security/safe-cgi.txt

Maybe the author should be notified about this error.

Cheers,

-JCT-

Next message: Oskar Pearson: "Re: Cleartext Password display in NS Communicator"
Previous message: Aaron Campbell: "ircd exploit"
Maybe in reply to: Razvan Dragomirescu: "Vulnerability in Glimpse HTTP"
Next in thread: Paul Phillips: "Re: Vulnerability in Glimpse HTTP"