do not use this script in a public environment!

I did a little audit of this app
Here's what I found:

calendar.pl
some older /usr/bin/cal don't know about '-m'.

showDate.pl
Using something like showDate.pl?month=../../../../../../etc/&date=inittab in the URL one can open files ro with the executive uid of the user the server is running as. Only the regexp controlling what is written out keeps one from reading files contents. So what a pitty inittab just has 6 entries...
If - however - you'd happen to have users with numerical names in the range of 8..24, showDate.pl would happily spit their /etc/password entries at you.
Not too interesting, this one.

alterDate.pl
this seems more 'promising', cause it let's you open files O_RDWR | O_CREAT,0666, opening all kinds of doors. An URL like alterDate.pl?month=../../../../../../etc/&date=passwd&time=r00t&entry=:0:0::/:/bin/sh&action=Add%20new%20entry really makes you wish you wouldn't have your server running as root...

I didn't play with action=rem, but it looks like it let's you remove any line containing a ':' from any file writable by the user the webserver is running as. (such as logfiles, if you want to hide your traces from playing with action=Add%20new%20entry)

so, as a bottom line, please be sure to check user input in your cgis, esp. when you post them to some public place. You never know just who's gonna use them in what surroundings.

-- 
bash$ :(){ :|:&};:
[download]

Comment on do not use this script in a public environment! Download Code

Replies are listed 'Best First'.
RE: do not use this script in a public environment! by mikkoh (Beadle) on Jun 02, 2000 at 17:14 UTC
Damn! Thanks a lot for pointing these facts out, I sorta hoped for some guidance with security issues. If you have any suggestions as for where to find tutorials etc. on writing safe CGI- scripts, please go ahead (yes, I know how to use a search engine, but still.. ). I hope nobody actually has used this.. //mjh	[reply]
RE: RE: do not use this script in a public environment! by perlcgi (Hermit) on Jun 02, 2000 at 18:07 UTC
A great source for CGI security info is CGI Programming with Perl. Chapter 8 on Security is free! on line at at O'Reilly.	[reply]
RE: do not use this script in a public environment! by antihec (Sexton) on Jun 02, 2000 at 18:10 UTC
> If you have any suggestions as for where > to find tutorials etc. on writing safe CGI- > scripts, please go ahead Well, actually I don't know any resources. Perhaps we should go start creating one around the Monastery here? Would Q&A be an ok Area for such a thing, or should we perhaps make it into a tutorial. I can't say I know enough about security to cover Everything(tm) - but with the help of fellow monks it could get a nice (and IMHO needed) thing. What are your thoughts on this? super: now I'm done writing this, I note a certain "perlcgi" obsoletes my node before even having finished it. Thanks a lot! ;-) `-- bash$ :(){ :\|:&};:` [download]	[reply] [d/l]
RE: RE: do not use this script in a public environment! by mikkoh (Beadle) on Jun 03, 2000 at 01:54 UTC
Well, the Perl security manpage at the Library is a very good read, though it doesn't really cover CGI. A must_read anyway. //mjh	[reply]
RE: RE: do not use this script in a public environment! by antihec (Sexton) on Jun 03, 2000 at 01:30 UTC
In a current posting from SANS (System Administration, Networking, and Security) they state "Vulnerable CGI programs and application extensions (...)" as the second most critical internet security risk. One of the remedies they offer is - surprise - "Write safer CGI programs", and they recommend the following links: http://www-4.ibm.com/software/developer/library/secure-cgi/ http://www.cert.org/tech_tips/cgi_metacharacters.html http://www.cert.org/advisories/CA-97.24.Count_cgi.html As of now, I didn't check those myself, but maybe someone finds them useful?! `-- bash$ :(){ :\|:&};:` [download]	[reply] [d/l]
RE: do not use this script in a public environment! by mikkoh (Beadle) on Jun 04, 2000 at 17:46 UTC
OK, here's what I've come up with: Check for a string like "### CALENDAR.PL DATE FILE May13" in the beginning of each date file where May13 would be replaced with whatever the month+date are Check to see that param('month') contains nothing but word characters, param('date') two digits and param('time') one or two digits. Do you think that this is sufficient, or should the path to the date_file also be validated in some way..? //mjh	[reply]


Think about Loose Coupling
	PerlMonks