I informed the admin of linux-directory about this months ago, but he doesn't seem to care a lot. The nslookup script on his site is also vulnerable to file reading and command executing vulnerabilities. Anyone noticed that the sample traceroute script doesn't work at all? Niels Teusink On 21 Mar 2002 at 14:16, paul jenkins wrote: > /* ------------------------------ * > * --------Security Freaks------- * > * ----www.securityfreaks.com---- * > * ------------------------------ */ > > > Info > ==== > Software: Penguin Traceroute > Website: http://www.linux-directory.com/scripts/traceroute.shtml > Versions: 1.0 > Platforms: Linux > Vulnerability Type: Remote Command Execution > > > Details > ======= > Penguin Traceroute is a perl script that does traceroute. This is another > script where the author forgets to parse the input for any ; | characters > and anyone user is able to execute anything he wants with the same > permitions as apache. Example: "127.0.0.1;cat /www/secure/.htpasswd" > and there goes the passwords, or if the user apache has write access > "127.0.0.1;echo I iz 1337>index.html". > > > Fix > === > Open up the perl script in your favorite text editor, find a line that has > "$host = $q->param('host');" Its usually the 13th line down then just add > this line "$host =~ s/[;<>\*\|'&\$!?#\(\)\[\]\{\}:'"\\]//g;" under it and > that should parse out any unwanted characters. > > > >
This archive was generated by hypermail 2b30 : Fri Mar 22 2002 - 18:31:14 PST