Beefy Boxes and Bandwidth Generously Provided by pair Networks
"be consistent"
 
PerlMonks  

Re: Re: Re: Company hacks through my Perl's Website Security hole

by Nik
on May 21, 2004 at 18:45 UTC ( #355425=note: print w/ replies, xml ) Need Help??


in reply to Re: Re: Company hacks through my Perl's Website Security hole
in thread Company hacks through my Perl's Website Security hole

Hi Monks,

What Somni said was 100% true. I indeed connect to the Efnet IRC Network and joined #perlhelp channel to ask the folks there about a problem of mine which i also posted today in another post about a file that cannot be opened.
Well i didn wanted to tell you the whole story because you would might think and tell me that i was looking for trouble.
Well indeed i was asking for it but not intentionally yo do harm to the company but for pretty much curiusnet. I just wanted to see by my own eyes the effects of that security hole to the server so that i could actually understand what problem could a perl cgi security hole can couse. I wanted also the guys not only to show me that but to explain to me the whole "hacking" process as well......

Please feel free to blame me for this but i am telling you my curiousness was the only reason for such a mess. But i wasnt the one that hackes the website and did ... God knows ... what else to the server. But i wanted the guys at EFney to show mw the tricks and i dotn hesitate to say that if my webpage didnt went off i would try them my self one by one to see and understand how this stuff works!! :-)

I don't think this is wrong, since if you dont try yourslef you wont learn. Well am not saying its right either because i dont own the server, its just a free hosting company i use to host my webpage with the funny chars (we called it greek). Sometimes the need, the curiocity and the desire to test something that you just been taught is too much too handle.... so you dont actually think of the consequences....After these tests that unfortunately i wasnt able to run i would fix the script but i needed first to try....

Anyway, guess what?

I just loogen in to my account and seen that some nice fellow renames myn index.pl to index.pl.bak and in the actually index.pl he deliberately corrected the security hole for me!!!! Isnt that great or what?!?! I just want to thank the guy who ever that he maybe, i guess his a fellow from efnet but also wanted to ask you guys to explain to me the correction that took place..... I will tehn paste all my index.pl for you to see so that you tell me if it has any other flaws that i cant see since i am a newbie....he is the correction the "unknown" friend has made..,br>

undef @isfile{@files}; exists $isfile{$file} or die;
here is also the whole index.pl....if you are not bored have a look.....
#!/usr/bin/perl -w use CGI::Carp qw(fatalsToBrowser); use CGI qw(:standard); use DBI; use DBD::mysql; use Mail::Sendmail; $xronos = scalar(localtime(time + 10800)); $xronos =~ s/:\d{2} \d{4}//g; $ip = $ENV{'REMOTE_ADDR'}; @numbers = split (/\./,$ip); $address = pack ("C4", @numbers); $host = gethostbyaddr ($address, 2) || $ip; print header( -charset=>'iso-8859-7' ); print start_html( -title=>'Ψυχωφελή Πνευματικά Κείμενα!', -background= +>'../data/images/night.jpg' ); $db = ($ENV{'SERVER_NAME'} ne 'nikos.50free.net') ? DBI->connect('DBI:mysql:nikos_db', 'root', '') : DBI->connect('DBI:mysql:nikos_db:50free.net', '********', '***** +*') or print font({-size=>5, -color=>'Lime'}, $DBI::errstr) and exit 0 +; @files = <../data/texts/*>; foreach (@files) { $_ =~ s/.*[\/\\](.*)/$1/; } print start_form(-action=>"index.pl"); print p( {-align=>'center'}, font( {-size=>5, -color=>'Lime'}, 'Λόγ +ος Ψυχωφελής και Θαυμάσιος => ' ), popup_menu( -name=>'select', -values=> +\@files ), submit('ok')); print end_form(); $file = param("select") || $files[rand(@files)]; undef @isfile{@files}; exists $isfile{$file} or die; open(IN, "../data/texts/$file") or die $!; @data = <IN>; close(IN); $data = join("", @data); $data =~ s/\n/\\n/g; #********************************************************************* +********** print <<ENDOFHTML; <html><head><title></title> <script type="text/javascript"> var textToShow = "$data"; var tm; var pos = 0; var counter = 0; function init() { tm = setInterval("type()", 50) } function type() { if (textToShow.length != pos) { d = document.getElementById("DivText"); c = textToShow.charAt(pos++); if (c.charCodeAt(0) != 10) d.appendChild(document.createTextNode(c)); else d.appendChild(document.createElement("br")); counter++; if (counter >= 1800 && (c.charCodeAt(0) == 10 || c == ".")) { d.appendChild(document.createElement("br")); d.appendChild(document.createTextNode("Press any key...")); counter = 0; clearInterval(tm); document.body.onkeypress = function () { document.getElementB +yId("DivText").innerHTML = ''; tm = setInterval("type()", 50); docume +nt.body.onkeypress = null; }; } } else clearInterval(tm); } </script> <body onload=init()> <center> <div id="DivText" align="Left" style=" background: url(../data/images/blueblack.jpg); border-color: Yellow; border-style: Groove; border-width: 10; width: 900; height: 500; color: Lightblue; font-face: Com; font-size: 19"> </div> </body> </html> ENDOFHTML #********************************************************************* +********** print br(), br(); print start_form(-action=>"show.pl"); print table( {-border=>1, -width=>"65%", -align=>"center", -style=>"bo +rder: ridge magenta; color: lime; font-size: 18", -background=>"../da +ta/images/fire.jpg"}, Tr( {-align=>'center'}, td( "Πώς σε λένε αδελφέ?" ), + td( textfield( 'onoma' ))), Tr( {-align=>'center'}, td( "Ποιά είναι η γνώμη σου για την ευχή + του Ιησού 'Κύριε Ιησού Χριστέ Ελέησον Μ +ε' ?" ), td( textarea( -name=>'sxolio', -rows=>5, -columns=>30 ))), Tr( {-align=>'center'}, td( "Μοιράσου μαζί μας μία κατά τη γνώμη + σου θαυμαστή προσωπική σου πνευματική ε +μπειρία από κάποιον γέροντα προς ώφελος των υπολοίπων αδελφών αν φυσικά έχεις . +..." ), td( textarea( -name=>'empeiria', -rows=>7, -columns=>30 ))) +, Tr( {-align=>'center'}, td( "Ποιό είναι το e-mail σου?" ), + td( textfield( 'email' ))), Tr( {-align=>'center'}, td( submit( 'Εμφάνιση' )), + td( submit( 'Αποστολή' )))); print end_form(), br(), br(); open(IN, "<../data/texts/tips") or die $!; @tips = <IN>; close(IN); @tips = grep { !/^\s*\z/s } @tips; $tip = $tips[int(rand(@tips))]; print table( {-width=>"90%", -align=>"center", -style=>"border: ridge +lightgreen; color: yellow; font-size: 18", -background=>"../data/imag +es/blue.jpg"}, Tr( {-align=>'center'}, td( font( {-size=>3, -color=>'white'}, b +( $tip ))))); $db->do( "UPDATE counter SET visitor = visitor + 1" ); $st = $db->prepare( "SELECT visitor FROM counter" ); $st->execute(); $row = $st->fetchrow_hashref; print font( {-size=>4, -color=>'Yellow'}, "<br>$host<br>" ); print font( {-size=>4, -color=>'Orange'}, "<br>$xronos<br>" ); print font( {-size=>4, -color=>'Cyan'}, "<br>$row->{visitor}<br><br> +" ); print a( {href=>'games.pl'}, img {src=>'. +./data/images/games.gif'} ); print p( {-align=>'right'}, a( {href=>'../data/photos/'}, font( {-size +=>4, -color=>'Lime'}, 'Π' ))); if ($host =~ /thes530-.*?\.otenet\.gr|millennium-.*?\.ccf\.auth\.gr/) +{ exit 0; } open(OUT, ">>../data/texts/log") or die $!; print OUT $host, " "x(40-length($host)), "-> ", $xronos, "\n"; close(OUT); if ($ENV{'SERVER_NAME'} ne 'nikos.50free.net') { exit 0; } #%mail = ( To => 'nik0s@mycosmos.gr', # From => 'roufianos@kyp.gr', # Subject => "Επισκέπτης από $host" # ); #sendmail(%mail) or die $Mail::Sendmail::error;
Sorry for the mess i caused and please excuse me for my curiocity.....but anyways no harm is done. All works great now... :-) Lucky me!

20040524 Edit by Corion: Removed DB username and password


Comment on Re: Re: Re: Company hacks through my Perl's Website Security hole
Select or Download Code
Re: Re: Re: Re: Company hacks through my Perl's Website Security hole
by diotalevi (Canon) on May 21, 2004 at 18:53 UTC
    Hey great! Now go change your username and password. You didn't remove them from the script before you posted it.
      Could Nik be a hacking-masochist? Is there such a thing?

      Plankton: 1% Evil, 99% Hot Gas.
        LOOOOOOOOOOOOOOOOOOOOOL Plankton!!! I think it migth be!!
Re: Re: Re: Re: Company hacks through my Perl's Website Security hole
by Anonymous Monk on May 21, 2004 at 18:53 UTC
    but i am telling you my curiousness was the only reason for such a mess.
    No it wasn't. It was your stupidity. If you were curious, you would have read perlsec like people told you to instead of pouring gasoline on yourself and playing with matches.
Re: (x4) Company hacks through my Perl's Website Security hole
by jarich (Curate) on May 26, 2004 at 02:42 UTC
    also wanted to ask you guys to explain to me the correction that took place.....
    @files = <../data/texts/*>; $file = param("select") || $files[rand(@files)]; undef @isfile{@files}; exists $isfile{$file} or die; open(IN, "../data/texts/$file") or die $!;

    What this correction does is ensure that the value in $file actually exists in ../data/texts/. If it does not exist there then your program dies.

    To understand HOW it does that I suggest you read up on undef, exists and hash slices.

    Your open is still broken. Read open for information on how to use three argument open. Basically you should make your opens look like this:

    open (FILEHANDLE, MODE, FILENAME) or die $!;
    so in this case:
    open (IN, "<", "../data/texts/$file") or die $!;
    Notice that we pass in the less than in a separate argument. You should do this, it makes your scripts much more secure.

    tell me if it has any other flaws that i cant see since i am a newbie...

    As mentioned to you many times before. Use taint mode. read perlsec and a good Perl book. There's no excuse (not even being a newbie) for not knowing how to validate your data. In this case it would be this easy:

    #!/usr/bin/perl -wT $ENV{PATH} = ""; # ... use statements and other code my @files = <../data/texts/*>; my $file = param("select") || $files[rand(@files)]; ($file) = ($file =~ /^([\w.-]+)$/); # Clean filename die "Invalid filename: $file" unless $file; # Die if empty my %isfile; undef @isfile{@files}; exists $isfile{$file} or die "Invalid filename: $file"; open(IN, "<", "../data/texts/$file") or die $!;
    Notice that we only need to make 3 changes here. The first is to add -T up on the shebang line. The second is to set our environment path. The third is the most interesting. Here we make sure that the filename only contains letters, numbers, underscores, dots and hyphens. Anything else (which would include the sequence ../) is forbidden. If the file contains things that are not in this list then we die with an error. I made a few extra changes, (such as declaring the variables and using the 3 argument version of open, but they're not strictly necessary to enable taint checking.

    Using taint checking is essential for CGI scripts.

    Your script would be better for using strict too. This is a great way to make your life easier. You've probably been told this 100 times already, I hope you don't feel that being a newbie means you don't have to do this either.

    I hope you learn

    jarich

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://355425]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others pondering the Monastery: (8)
As of 2014-12-29 06:27 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (184 votes), past polls