http://www.perlmonks.org?node_id=36121

Take a look at the code in this node. Since it didn't have taint checking (amongst many other problems), I was rather concerned about it. A quick review of this code revealed the following line of code. Where does the filename come from?
open(IN, "$filepath/$siteinfo[1]");
It appears to come from here (near the start of the program):
$query_string = $ENV{'QUERY_STRING'}; @search = split(/&/,$query_string); @info = split(/=/, $search[0]); @siteinfo = split(/-/, $info[1]);
Guess what the following URL does (assuming it's pointing to that CGI script):
http://www.somehost.com/path/to/script/badscript.cgi?name=x-/bin/ls|
If we use that code with that URL, we have /bin/ls| in the filename to be opened. That trailing pipe causes /bin/ls to be executed instead of opened.

Well, that's interesting.

I can now execute any executable on the server that the the script would have rights to run. Needless to say, there is a security issue here and it's a whopper. For all those monks out there who don't take this seriously (and I see a lot of them), pay attention!!!!

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just go the the link and check out our stats.