Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight
 
PerlMonks  

Company hacks through my Perl's Website Security hole

by Nik
on May 21, 2004 at 16:16 UTC ( #355319=perlquestion: print w/ replies, xml ) Need Help??
Nik has asked for the wisdom of the Perl Monks concerning the following question:

Some people today from efnet just hacked the Copmany that gives people free ftp access and Perl and MySQl support for people to upload their webpages www.50free.com through my Website.

They used a security hole of an open command at index.pl this to be exact.
print start_form(-action=>"index.pl"); print p( {-align=>'center'}, font( {-size=>5, -color=>'Lime'}, 'Λόγ +ος Ψυχωφελής και Θαυμάσιος => ' ), popup_menu( -name=>'select', -values=> +\@files ), submit('ok')); print end_form(); $file = param("select") || $files[rand(@files)]; open(IN, "../data/texts/$file") or die $!;
and they gave similar to this string at their address bar kos.50free.net/cgi-bin/index.pl?select=../../../../../bin/ls%20-la%20%7e%7c to do it. Tehy passed values to the select variaable and di those things.With the same way the gained a pseudo shell access within my user accoutn and did various things.

My question is this: Should i have to be considered responsible for such an action? I just today found out that my site had a security hoel like that, or is the Compnay to blame for not should and could secure better their server?

At the moment neither i can login to my ftp account o lot of hours ago. and neither the Compnay's main webpage functioning?? What is your opinion? I beleive not mine because i am a newbie user and i cant know whether or not my website has security flaws or holes (at the moment i just want my webpage to work), security is not my conecrn now. I beleive the company should have imagined that might these could happened and prevent them

What do you think?

20040525 Edit by castaway: Changed title from 'Compnay hackes through my Perl's Website Securtity hole'

Comment on Company hacks through my Perl's Website Security hole
Download Code
Re: Company hacks through my Perl's Website Security hole
by davido (Archbishop) on May 21, 2004 at 16:29 UTC
    It is your fault for exposing a company's servers to a security breech through a hole in a script you wrote and placed on their server. Ignorance isn't bliss, nor is it an excuse.

    The company's mistake was allowing a 'newbie' to place scripts on their site. However, site policy was only the weapon. You put the bullet in it and handed it to the criminal to pull the trigger.

    Give us a break. You have been warned many times here and other places to pay attention to security issues.


    Dave

      It is your fault for exposing a company's servers to a security breech through a hole in a script you wrote and placed on their server. Ignorance isn't bliss, nor is it an excuse.

      I disagree. See my post for why.

      The company's mistake was allowing a 'newbie' to place scripts on their site.

      Yes

      However, site policy was only the weapon.

      Not in the sense that you mean. Good operating systems have the ability to limit badly behaving users so they don't take down the system. If I were handing out accounts to unknowns, I'd expect to have to harden the system appropriately. This is 'system policy' the way sysadmins think about it. You're probably referring to 'written policy', which is usually worth the paper it's printed on.

      You put the bullet in it and handed it to the criminal to pull the trigger.

      Please don't use violent metaphors, there are plenty of better ones to choose from. Like sexual metaphors. Gets the point across, but is a happier thought.

      ____________________
      Jeremy
      I didn't believe in evil until I dated it.

        Please don't use violent metaphors, there are plenty of better ones to choose from. Like sexual metaphors. Gets the point across, but is a happier thought.

        *uproarious laughter* I prefer lite-beer metaphors. Less filling, Tastes great.

Re: Company hacks through my Perl's Website Security hole
by jepri (Parson) on May 21, 2004 at 16:29 UTC
    As a professional sysadmin, I can say that it isn't your fault if someone takes down the entire box thanks to your carelessness. Don't expect the admins to like you afterwards though.

    I'm not quite following how they 'hacked in' though. What's that code you posted? Were you running code submitted to a webpage or something? You sure had it coming if you did.

    I'm getting DNS errors trying to get to the site you mentioned. That doesn't necessarily mean the webserver has been hacked, but probably something is wrong with their systems.

    And a quick update, clarifying the first paragraph. It's the sysadmin's job to protect users from themselves. Sometimes the sysadmin is unable to protect the system from the boneheaded users. However ultimately the sysadmin decides who gets to run what, with what priority and how much system resources they may use.

    If they flub this, or if the OS contains a compromise, then it gets filed under "shit happens", they pull the backup tapes off the rack, and life goes on.

    ____________________
    Jeremy
    I didn't believe in evil until I dated it.

      That code as written allows anyone to run arbitrary programs. $file was supplied by the user and given to two-arg open which when the filename ends in a pipe symbol is interpreted as a shell command to run.
        update: This post works a lot better as a reply to pzbagel, which is where it should be... except that I clicked the wrong link. My bad.

        The system should have been protected by privilege separation. This guys account gets hacked, the hackers muck around... the sysadmin deletes the account. No worries.

        Except it didn't work that way, this time. I can't even figure out from the parent post what actually happened. Perhaps a lightning strike took out the server room just as he realised his mistake?

        ____________________
        Jeremy
        I didn't believe in evil until I dated it.

Re: Company hacks through my Perl's Website Security hole
by pzbagel (Chaplain) on May 21, 2004 at 16:35 UTC

    I beleive not mine because i am a newbie user and i cant know whether or not my website has security flaws or holes (at the moment i just want my webpage to work), security is not my conecrn now. I beleive the company should have imagined that might these could happened and prevent them

    First of all, you better believe it is your responsibility! Your lack of skill is no excuse for putting flawed code on a website. You should have bothered to read and educate yourself on safe CGI coding practices. You should have bothered to use Safe and taint mode and scrutinized the data input into your script.

    The "I didn't know any better" excuse is tired and lame. It's the same excuse used by the people at the office who get infected with viruses over and over. "I didn't know I shouldn't open attachments in strange emails sent to me which promise nude pictures of Britney..."

    Now, the company could have done a few things to make the environment you were allowed to execute your scripts in a little safer. But any company that allows any random n00b to install CGIs on their server is "a little whacked". However, that doesn't absolve you of need to code responsibly.

    And one more thing. I find the comment "security is not my concern" appalling! It sure is your concern. You and every other person who posts crappy code on that website. Otherwise you can look forward to LOTS more downtime.

    Later

Re: Company hacks through my Perl's Website Security hole
by Abigail-II (Bishop) on May 21, 2004 at 16:41 UTC
    They used a security hole of an open command at index.pl this to be exact.
    No, they did not. They used a security hole in your program, not a security hole of the open command.
    Should i have to be considered responsible for such an action?
    In a way yes. Normal people are responsible for their own actions. That doesn't mean you are the only one to blame though. The people who gave you the ability to upload scripts like that are also to blame. Whether you are liable for damages depends on what kind of contract you have with the company.

    Next time, use tainting.

    Abigail

Re: Company hacks through my Perl's Website Security hole
by Anonymous Monk on May 21, 2004 at 17:23 UTC
    Hi Nik, excuse my ignornace but what is efnet?

      An IRC network. Great refuage of script kiddies and other miscreants on the Internet.

Re: Company hacks through my Perl's Website Security hole
by Somni (Friar) on May 21, 2004 at 17:28 UTC

    I think a little background is in order. Nik came onto EFnet #Perlhelp as Apost asking for help with his code. Originally all he had was an open call that took a filename from user input, i.e. open(FILE, "<../some/dir/$user_input"). He was told that was a security hole, but he didn't believe it was. He was then shown it was a security hole when someone gave him a URL that caused the script to read /etc/passwd.

    As the discussion went on someone mentioned any arbitrary program could be run. This, of course, was false, and the person was corrected. However, Apost became curious, and asked how his code could possibly run an external program. He was told that if he removed the leading "<" in his open call then anyone could supply a command if they did it just right.

    Yes, he explicitly changed his code to allow for an even bigger security hole, after he was told it was a security hole and what it would allow.

    The full log of the conversation can be found here.

      Thanks Somni ... I was thinking the
      'Λόγος Ψυχωφελής και Θαυμάσιος => '
      Was some sort of binary code that was getting executed. What the heck is 'Λόγος Ψυχωφελής και Θαυμάσιος => ' anyways?
        It's greek. The cgi was part of a greek website, hence.
      You know what else, here on perlmonks Nik has been told several times to use tainting and to read perlsec.

        And on the Devshed Forums where I'm a moderator I've told him to figure out tainting too. I don't know what the resistance is here. . .

        -Any sufficiently advanced technology is
        indistinguishable from doubletalk.

        My Biz

      I'd also like to point out that xmath used the exploit to remove execute permissions from the script to prevent any incidents, but at a later point the script was re-activated by this thread's creator in spite of numerous explicit warnings against doing so before fixing the exploit.

      Normally such incidents are considered a gimme when providing web services to users, but if ever a case existed where a user should be held responsible for such negligence it would be this one.

      Nik: Are you responsible? Yes. Are you liable for any damages? Probably not, which, judging from your demeanor in the channel, is probably your only real concern.


      Roses are red, violets are blue. All my base, are belong to you.
Re: Company hacks through my Perl's Website Security hole
by blue_cowdawg (Prior) on May 21, 2004 at 17:49 UTC

        is the Compnay to blame for not should and could secure better their server?

    If one of my dogs bites the hand of a child provoking it then I'm to blame because it is my dog and wheather the parent wants to accept it or not the parent is responsible for the child's actions.

    Likewise you put some code out there in the wild and it bit someone. You are repsonsible for what your code did.

    It might well be in the "company's" best interests to better secure their servers and not letting you upload un-verified CGI to their servers may be a futre step they may opt to take.

Re: Company hacks through my Perl's Website Security hole
by Anonymous Monk on May 21, 2004 at 18:02 UTC
    Hacking the website is a criminal act and you're not legally responsible for other peoples' criminal acts, even if you dress like a whore or leave your doors unlocked. The programmer, however, is another matter. Whoever programmed this is certainly liable to his customer for any damages. He dressed you up like a whore and drove you into the bad part of town, pumped you full of roofies and dumped you on the curb, dazed and half naked and with a sign on your back saying "FREE ASS". (Jeremy, I hope this metaphor is okay by you)
      After reading Somni node above It seems to me that Nik knew his code was vunerlable and even purposely made his cgi more dangerous.
        Hi Monks,

        What Somni said was 100% true. I indeed connect to the Efnet IRC Network and joined #perlhelp channel to ask the folks there about a problem of mine which i also posted today in another post about a file that cannot be opened.
        Well i didn wanted to tell you the whole story because you would might think and tell me that i was looking for trouble.
        Well indeed i was asking for it but not intentionally yo do harm to the company but for pretty much curiusnet. I just wanted to see by my own eyes the effects of that security hole to the server so that i could actually understand what problem could a perl cgi security hole can couse. I wanted also the guys not only to show me that but to explain to me the whole "hacking" process as well......

        Please feel free to blame me for this but i am telling you my curiousness was the only reason for such a mess. But i wasnt the one that hackes the website and did ... God knows ... what else to the server. But i wanted the guys at EFney to show mw the tricks and i dotn hesitate to say that if my webpage didnt went off i would try them my self one by one to see and understand how this stuff works!! :-)

        I don't think this is wrong, since if you dont try yourslef you wont learn. Well am not saying its right either because i dont own the server, its just a free hosting company i use to host my webpage with the funny chars (we called it greek). Sometimes the need, the curiocity and the desire to test something that you just been taught is too much too handle.... so you dont actually think of the consequences....After these tests that unfortunately i wasnt able to run i would fix the script but i needed first to try....

        Anyway, guess what?

        I just loogen in to my account and seen that some nice fellow renames myn index.pl to index.pl.bak and in the actually index.pl he deliberately corrected the security hole for me!!!! Isnt that great or what?!?! I just want to thank the guy who ever that he maybe, i guess his a fellow from efnet but also wanted to ask you guys to explain to me the correction that took place..... I will tehn paste all my index.pl for you to see so that you tell me if it has any other flaws that i cant see since i am a newbie....he is the correction the "unknown" friend has made..,br>
        undef @isfile{@files}; exists $isfile{$file} or die;
        here is also the whole index.pl....if you are not bored have a look.....
        #!/usr/bin/perl -w use CGI::Carp qw(fatalsToBrowser); use CGI qw(:standard); use DBI; use DBD::mysql; use Mail::Sendmail; $xronos = scalar(localtime(time + 10800)); $xronos =~ s/:\d{2} \d{4}//g; $ip = $ENV{'REMOTE_ADDR'}; @numbers = split (/\./,$ip); $address = pack ("C4", @numbers); $host = gethostbyaddr ($address, 2) || $ip; print header( -charset=>'iso-8859-7' ); print start_html( -title=>'Ψυχωφελή Πνευματικά Κείμενα!', -background= +>'../data/images/night.jpg' ); $db = ($ENV{'SERVER_NAME'} ne 'nikos.50free.net') ? DBI->connect('DBI:mysql:nikos_db', 'root', '') : DBI->connect('DBI:mysql:nikos_db:50free.net', '********', '***** +*') or print font({-size=>5, -color=>'Lime'}, $DBI::errstr) and exit 0 +; @files = <../data/texts/*>; foreach (@files) { $_ =~ s/.*[\/\\](.*)/$1/; } print start_form(-action=>"index.pl"); print p( {-align=>'center'}, font( {-size=>5, -color=>'Lime'}, 'Λόγ +ος Ψυχωφελής και Θαυμάσιος => ' ), popup_menu( -name=>'select', -values=> +\@files ), submit('ok')); print end_form(); $file = param("select") || $files[rand(@files)]; undef @isfile{@files}; exists $isfile{$file} or die; open(IN, "../data/texts/$file") or die $!; @data = <IN>; close(IN); $data = join("", @data); $data =~ s/\n/\\n/g; #********************************************************************* +********** print <<ENDOFHTML; <html><head><title></title> <script type="text/javascript"> var textToShow = "$data"; var tm; var pos = 0; var counter = 0; function init() { tm = setInterval("type()", 50) } function type() { if (textToShow.length != pos) { d = document.getElementById("DivText"); c = textToShow.charAt(pos++); if (c.charCodeAt(0) != 10) d.appendChild(document.createTextNode(c)); else d.appendChild(document.createElement("br")); counter++; if (counter >= 1800 && (c.charCodeAt(0) == 10 || c == ".")) { d.appendChild(document.createElement("br")); d.appendChild(document.createTextNode("Press any key...")); counter = 0; clearInterval(tm); document.body.onkeypress = function () { document.getElementB +yId("DivText").innerHTML = ''; tm = setInterval("type()", 50); docume +nt.body.onkeypress = null; }; } } else clearInterval(tm); } </script> <body onload=init()> <center> <div id="DivText" align="Left" style=" background: url(../data/images/blueblack.jpg); border-color: Yellow; border-style: Groove; border-width: 10; width: 900; height: 500; color: Lightblue; font-face: Com; font-size: 19"> </div> </body> </html> ENDOFHTML #********************************************************************* +********** print br(), br(); print start_form(-action=>"show.pl"); print table( {-border=>1, -width=>"65%", -align=>"center", -style=>"bo +rder: ridge magenta; color: lime; font-size: 18", -background=>"../da +ta/images/fire.jpg"}, Tr( {-align=>'center'}, td( "Πώς σε λένε αδελφέ?" ), + td( textfield( 'onoma' ))), Tr( {-align=>'center'}, td( "Ποιά είναι η γνώμη σου για την ευχή + του Ιησού 'Κύριε Ιησού Χριστέ Ελέησον Μ +ε' ?" ), td( textarea( -name=>'sxolio', -rows=>5, -columns=>30 ))), Tr( {-align=>'center'}, td( "Μοιράσου μαζί μας μία κατά τη γνώμη + σου θαυμαστή προσωπική σου πνευματική ε +μπειρία από κάποιον γέροντα προς ώφελος των υπολοίπων αδελφών αν φυσικά έχεις . +..." ), td( textarea( -name=>'empeiria', -rows=>7, -columns=>30 ))) +, Tr( {-align=>'center'}, td( "Ποιό είναι το e-mail σου?" ), + td( textfield( 'email' ))), Tr( {-align=>'center'}, td( submit( 'Εμφάνιση' )), + td( submit( 'Αποστολή' )))); print end_form(), br(), br(); open(IN, "<../data/texts/tips") or die $!; @tips = <IN>; close(IN); @tips = grep { !/^\s*\z/s } @tips; $tip = $tips[int(rand(@tips))]; print table( {-width=>"90%", -align=>"center", -style=>"border: ridge +lightgreen; color: yellow; font-size: 18", -background=>"../data/imag +es/blue.jpg"}, Tr( {-align=>'center'}, td( font( {-size=>3, -color=>'white'}, b +( $tip ))))); $db->do( "UPDATE counter SET visitor = visitor + 1" ); $st = $db->prepare( "SELECT visitor FROM counter" ); $st->execute(); $row = $st->fetchrow_hashref; print font( {-size=>4, -color=>'Yellow'}, "<br>$host<br>" ); print font( {-size=>4, -color=>'Orange'}, "<br>$xronos<br>" ); print font( {-size=>4, -color=>'Cyan'}, "<br>$row->{visitor}<br><br> +" ); print a( {href=>'games.pl'}, img {src=>'. +./data/images/games.gif'} ); print p( {-align=>'right'}, a( {href=>'../data/photos/'}, font( {-size +=>4, -color=>'Lime'}, 'Π' ))); if ($host =~ /thes530-.*?\.otenet\.gr|millennium-.*?\.ccf\.auth\.gr/) +{ exit 0; } open(OUT, ">>../data/texts/log") or die $!; print OUT $host, " "x(40-length($host)), "-> ", $xronos, "\n"; close(OUT); if ($ENV{'SERVER_NAME'} ne 'nikos.50free.net') { exit 0; } #%mail = ( To => 'nik0s@mycosmos.gr', # From => 'roufianos@kyp.gr', # Subject => "Επισκέπτης από $host" # ); #sendmail(%mail) or die $Mail::Sendmail::error;
        Sorry for the mess i caused and please excuse me for my curiocity.....but anyways no harm is done. All works great now... :-) Lucky me!

        20040524 Edit by Corion: Removed DB username and password

      It made me laugh, so I'll pay it.

      After reading that conversation, it looks like the parent poster is one of those whiney guys who deliberately makes a mess and then blames the people nearby for not stopping him. There's not much anyone else can do in that situation.

      ____________________
      Jeremy
      I didn't believe in evil until I dated it.

Re: Company hacks through my Perl's Website Security hole
by Art_XIV (Hermit) on May 21, 2004 at 18:19 UTC

    It's your fault and its "the company's" fault and its the sum'bitch who broke into the server's fault.

    But look on the bright side... if you are, in fact, a newbie and an aspiring developer, then you've learned a very important lesson early on - that Security Matters, and it matters a lot.

    Accept responsiblity for your part in this fiasco, and forgive yourself for it as you begin your new policy of always using taint mode for CGIs and always validating input from external sources.

    There are plenty of free tutorials and articles here on perlmonks and on other sites on securing applications.

    Hanlon's Razor - "Never attribute to malice that which can be adequately explained by stupidity"

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://355319]
Approved by calin
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others musing on the Monastery: (9)
As of 2014-07-24 11:00 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (160 votes), past polls