Re: [vox-tech] Need help securing a simple perl CGI

Mon, 18 Feb 2002 14:27:19 -0800 

I think someone can still access files outside your WWW directory by
requesting a file called .\./somefile.  When your script first checks
for instances of ".." in the URL, it doesn't find any since the periods
are separated by a backslash.  The script then removes all backslashes,
changing the URL to ../somefile.


Matt


On Sun, Feb 17, 2002 at 10:26:28PM -0800, Ryan wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> This is a perl cgi script I wrote to allow me to have large html files on my 
> web host without exceeding my storage quota.
> 
> I'd like it looked at, _I_ can no longer abuse it to run random commands or 
> go where I shouldn't, but that doesn't mean others can'.
> 
> Any other feedback would also be great.
> 
> #!/usr/bin/perl
> #Let users transparently access files that are gzipped server-side
> #Useful only to keep under my storage quota ;-)
> 
> my $in = $ENV{'QUERY_STRING'};                # Handle CGI calls
> $in =~ s/\+/ /g;                      # Replace '+' with ' '
> $in =~ s/%(..)/pack("c",hex($1))/ge;  # Undo URL quoting
> 
> $in =~ s/\.\.//g;                     # Foil Nasty h4x0rz trying to desend
>                                       # directories
> $in =~ s/\\//g;                               # There is no need for backslashes!
> $in =~ s/\'//g;                               # prevent h4x0rz from
>                                       # running commands like
>                                       # zcat.cgi?file=foo.html.gz';rm -rf *'
> 
> my %data = split (/=/, $in);          # Make an array
> 
> my $file = $data{'file'};             # get the name of the requested file
> 
> print "Content-Type: text/html\n\n";
> # print `echo '$file'`;                       # debugging
> print `zcat ~/WWW/'$file'`;           # quotes prevent nastys.
> 
> - -- 
> No Microsoft products were used in any way for the creation of this message.
> PGP Public key at http://mother.com/~ryan/ryan_at_mother_dot_com.asc
> It is also on the servers: Key ID 0x72177BC7
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
> 
> iD4DBQE8cJ6cEd9E83IXe8cRAq5qAJ9+/mIZVuwdV/uCwIzU4Cz1/Kp3bQCYrHty
> tRBI7Iewb8CvWNC/kQE2DA==
> =WHOW
> -----END PGP SIGNATURE-----
> _______________________________________________
> vox-tech mailing list
> [EMAIL PROTECTED]
> http://lists.lugod.org/mailman/listinfo/vox-tech

-- 

*************************************************
* Matt Roper <[EMAIL PROTECTED]>                *
* http://www.mattrope.com                       *
* PGP Key: http://www.mattrope.com/mattrope.asc *
*************************************************
_______________________________________________
vox-tech mailing list
[EMAIL PROTECTED]
http://lists.lugod.org/mailman/listinfo/vox-tech

Reply via email to