On 21 Mar 2002 at 14:16, paul jenkins wrote: > /* ------------------------------ * > * --------Security Freaks------- * > * ----www.securityfreaks.com---- * > * ------------------------------ */ > > > Info > ==== > Software: Penguin Traceroute > Website: http://www.linux-directory.com/scripts/traceroute.shtml > Versions: 1.0 > Platforms: Linux > Vulnerability Type: Remote Command Execution > > > Details > ======= > Penguin Traceroute is a perl script that does traceroute. This is another > script where the author forgets to parse the input for any ; | characters > and anyone user is able to execute anything he wants with the same > permitions as apache. Example: "127.0.0.1;cat /www/secure/.htpasswd" > and there goes the passwords, or if the user apache has write access > "127.0.0.1;echo I iz 1337>index.html". > > > Fix > === > Open up the perl script in your favorite text editor, find a line that has > "$host = $q->param('host');" Its usually the 13th line down then just add > this line "$host =~ s/[;<>\*\|'&\$!?#\(\)\[\]\{\}:'"\\]//g;" under it and Shouldn't this be "$host =~ s/[^0-9A-Za-z.-]//g;" on the basis that accepting known good is safer than rejecting known bad? > that should parse out any unwanted characters. > > > > -- Phil Turner
This archive was generated by hypermail 2b30 : Fri Mar 22 2002 - 17:46:16 PST