TextCounter: SECURITY HOLE PLUGGED!

From: Matt Wright (mattwat_private)
Date: Wed Jun 24 1998 - 18:47:13 PDT

Next message: Andrew McNaughton: "Re: textcounter.pl (alternate fix)"

Previous message: John McDonald: "Re: ufsrestore sparc exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks to all of those at BugTraq who forwarded me the security hole info
on TextCounter.  Sometimes it takes those 15 messages to get my attention
as I usually don't get through all my e-mail these days (The author
apparently did send me the warning about 8 days ago, but I hadn't read it
yet). :(

At any rate, I've spent about half the day today updating the TextCounter
in order to plug this security hole, which was present in both the Perl
and C++ Versions.  I used a slightly different approach than the one
originally proposed in the alert message.  This new approach causes count
data files to be named slightly differently, as all non-word characters
(anything besides a-z, A-Z and 0-9) are turned into an underscore.

The new versions posted at my site come with the fixed source and a small
perl script called convert.pl which will update your data filenames from
v1.2 to v1.2.1 (or v1.3 to v1.3.1 if you use the C++ version).

I also addded some memory de-allocation to the C++ version which was
missing originally and made the same bug fix that v1.2.1 in Perl
received.  convert.pl will work with the C++ data files in the same way
as both end up with the same names.

You can obtain the fixed versions at:
    (Perl) http://www.worldwidemart.com/scripts/textcounter.shtml
    (C++)  http://www.worldwidemart.com/scripts/C++/textcounter.shtml

Another short fix, which I don't believe is nearly as good as simply
changing everything in the DOCUMENT_URI, is putting '.shtml/' into
your @invalid_uri.  It was already in mine for other reasons, so I
never noticed the attacks, though I think there are ways of getting
around that fix, so I would recommend simply downloading and installing
the new version.

It is also possible that the new naming scheme could create a few
conflicts where two pages want the same name.  There is a fairly slight
chance of this happening, but if it becomes a problem for anyone, let
me know and we'll try to find a work-around for that.

Please let me know if there are any other gaping security holes or if
this one has not been adequately fixed.

Thanks,

Matt Wright

********** The CGI Resource Index --> http://www.cgi-resources.com/ **********
Matt Wright,  mattwat_private,   http://www.worldwidemart.com/mattw/
Matt's Script Archive, Free CGI scripts, http://www.worldwidemart.com/scripts/
************ CGI/Perl Cookbook -> http://www.cgi-perl.com/promo/ *************

Next message: Andrew McNaughton: "Re: textcounter.pl (alternate fix)"
Previous message: John McDonald: "Re: ufsrestore sparc exploit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:59:27 PDT