Gunter, On Friday, November 29, 2002, at 02:19 AM, Gunther Birznieks wrote:
Speaking of Perl Web Server vulnerabilities....
[snip]
pWins allows directory transversal via unicode characters (%255, you know, nimda stuff).. If it's installed on the c drive, you can get to any file (ahem.. sam._) easily.. for example, http://SomeWebServer/../../windows/repair/sam._
no exploit provided because too trivial..
Hah! I checked the source of this thing, this guy takes security very seriously:
# Bei dieser Funktion handelt es sich um den eigentlichen Sicherheitscheck vonSee? Whenever the server receives a request to run a perl cgi script, it parses it and refuses to run it if the word "system" occurs in it! Even in a comment whose '#' has whitespace in front of it!
# pWins bei Perlscripten. Sie parst den Sourcecode vor der verarbeitung nach
# Befehlen, die nicht vorkommen d¸rfen weil sie die Serversicherheit gef‰hrden
# w¸rden.
# Derzeit handelt es sich hierbei nur um einen Test
sub Parse {
$cgi_bin = $_[1];
$file = substr($_[2], 1, (length($_[2])-1));
open(SCRIPT, "$cgi_bin"."$file");
while(<SCRIPT>){
chomp;
my @type = split(/\n/);
foreach my $line (@type){
unless($line =~ /^#/){
if($line eq /system/){
my $securecounter = 1;
}
}
}
}
close(SCRIPT);
if($securecounter != 0){return(1)};
return(0);
}
Who said parsing perl was hard?
Regards,
Bas.
ps. I wonder if we could make a really good perl application server based on this?