---------- Forwarded message ---------- Date: Fri, 15 May 1998 11:28:07 -0700 From: Robert Moniot <moniotat_private> Subject: May SysAdmin man.sh security hole Newsgroups: comp.security.unix The May 1998 issue of SysAdmin Magazine contains an article, "Web-Enabled Man Pages", which includes source code for very nice cgi script named man.sh to feed man pages to a web browser. The hypertext links to other man pages are an especially attractive feature. Unfortunately, this script is vulnerable to attack. Essentially, anyone who can execute the cgi thru their web browser can run any system commands with the user id of the web server and obtain the output from them in a web page. I have notified the author, and he has undertaken to replace the code posted on the www.samag.com website with corrected code, but in the meantime here is a patch that I believe closes the security hole. 48,49c48,50 < sub(/\=/, "=\"", x) < sub(/$/, "\"", x) --- > gsub(/[^-_=+%a-zA-Z0-9]/, ".", x) # strip out any funny chars > sub(/\=/, "='"'"'", x) # quote rhs in apostrophes > sub(/$/, "'"'"'", x) 51,52c52,53 < gsub(/\+/, " ", x) < print x --- > gsub(/\+/, " ", x) # change + to space > if( x ~ /^(man|srch)=/ ) print x
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:53:49 PDT