DPGS allows any file to be overwritten

From: b0iler (b0ilerat_private)
Date: Fri Jun 21 2002 - 22:59:35 PDT

Next message: Dave Ahmad: "[slackware-security] new apache/mod_ssl packages available"

Previous message: Klaus, Chris (ISSAtlanta): "ISS Advisory clarification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Taken from the scripts website:
"WARNING: DPGS is no longer maintained and is thus discontinued. If you would like to take over its development, email me. - July 30, 2000"

This is the reasoning to why I did not contact the author prior to this email.

This is an example of how bad input filtering and open() based on user input make a nasty combo.

the script is Duma Photo Gallery System and in update.dpgs lies the problem open():

open(DATABASE, ">$path_to_members/$FORM{'id'}/data.txt")
	|| &error("Couldn't  write $path_to_members/$FORM{'id'}/data.txt");
	
while ( ($form_key, $form_value) = each(%FORM) ) {
	print DATABASE "$form_key$delimiter$form_value\n" unless
		( $form_value eq '' || $form_key eq "id" || $form_key =~ "password" );
}
close(DATABASE);



this will open the database of this user and then try to add data to the database.  Now 
here is what %FORM is filtered by in DPGS.pll:

        $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
        $value =~ s/<([^>]|\n)*>//g;
        $value =~ s/<!--(.|\n)*-->//g; 	#removes any server side includes
        $value =~ s/^\s+//;	#remove any leading spaces
        $value =~ s/\s+$//; #remove any trailing spaces
        $value =~ s/$delimiter//g; #remove delimiters if any.
        $value =~ s/\"/\&quot\;/g; #replace quotes with &quot;
        $value =~ s/\r\n/<BR>/g; #replace new line characters with <BR>
        $FORM{$name} = $value;
	}
	
none of these stop directory transversal or the null byte.  So if we sign up with an id of ../../etc/passwd\0 then the /etc/passwd file will be the one opened for writting.  We can write to any file this way, even overwritting other user's data.txt files or 
the admin data file '../admin'.

No fix is on hand, but feel free to come up with your own.  Filter for null bytes and reverse directory 
transversal.

b0iler - http://b0iler.eyeonsecurity.net

make sure to check out http://b0iler.eyeonsecurity.net/tutorials/hackingcgi.htm for a great paper on perl cgi security and exploitation.  Many new methods of exploiting common perl cgi code.  Including the s/<!--(.|\n)*-->//g; "filter" which is used in this script and thousands of others.

Next message: Dave Ahmad: "[slackware-security] new apache/mod_ssl packages available"
Previous message: Klaus, Chris (ISSAtlanta): "ISS Advisory clarification"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 21 2002 - 14:06:36 PDT