in reply to CGI- based calendar

I did a little audit of this app
Here's what I found:

calendar.pl
some older /usr/bin/cal don't know about '-m'.

showDate.pl
Using something like showDate.pl?month=../../../../../../etc/&date=inittab in the URL one can open files ro with the executive uid of the user the server is running as. Only the regexp controlling what is written out keeps one from reading files contents. So what a pitty inittab just has 6 entries...
If - however - you'd happen to have users with numerical names in the range of 8..24, showDate.pl would happily spit their /etc/password entries at you.
Not too interesting, this one.

alterDate.pl
this seems more 'promising', cause it let's you open files O_RDWR | O_CREAT,0666, opening all kinds of doors. An URL like alterDate.pl?month=../../../../../../etc/&date=passwd&time=r00t&entry=:0:0::/:/bin/sh&action=Add%20new%20entry really makes you wish you wouldn't have your server running as root...

I didn't play with action=rem, but it looks like it let's you remove any line containing a ':' from any file writable by the user the webserver is running as. (such as logfiles, if you want to hide your traces from playing with action=Add%20new%20entry)

so, as a bottom line, please be sure to check user input in your cgis, esp. when you post them to some public place. You never know just who's gonna use them in what surroundings. 

-- 
bash$ :(){ :|:&};:

[download]

Replies are listed 'Best First'.
RE: do not use this script in a public environment!
by mikkoh (Beadle) on Jun 02, 2000 at 17:14 UTC
    Damn! Thanks a lot for pointing these facts out, I sorta hoped for some guidance with security issues. If you have any suggestions as for where to find tutorials etc. on writing safe CGI- scripts, please go ahead (yes, I know how to use a search engine, but still.. ). I hope nobody actually has used this.. //mjh
[reply]
      A great source for CGI security info is CGI Programming with Perl. Chapter 8 on Security is free! on line at at O'Reilly.
[reply]
      > If you have any suggestions as for where
      > to find tutorials etc. on writing safe CGI-
      > scripts, please go ahead

      Well, actually I don't know any resources. Perhaps we should go start creating one around the Monastery here?

      Would Q&A be an ok Area for such a thing, or should we perhaps make it into a tutorial. I can't say I know enough about security to cover Everything(tm) - but with the help of fellow monks it could get a nice (and IMHO needed) thing.

      What are your thoughts on this?

      super: now I'm done writing this, I note a certain "perlcgi" obsoletes my node before even having finished it. Thanks a lot!
      ;-) 

      -- 
bash$ :(){ :|:&};:

      [download]
[reply]
[d/l]
        Well, the Perl security manpage at the Library is a very good read, though it doesn't really cover CGI. A must_read anyway. //mjh
[reply]
[reply]
[d/l]
RE: do not use this script in a public environment!
by mikkoh (Beadle) on Jun 04, 2000 at 17:46 UTC
    OK, here's what I've come up with:
    1. Check for a string like "### CALENDAR.PL DATE FILE May13" in the beginning of each date file where May13 would be replaced with whatever the month+date are
    2. Check to see that param('month') contains nothing but word characters, param('date') two digits and param('time') one or two digits.
    Do you think that this is sufficient, or should the path to the date_file also be validated in some way..? //mjh
[reply]

In Section Code Catacombs