in reply to Re: Ping from HTML
in thread Ping from HTML

Warning! Two serious security holes in one short script

I suggest you stop doing web programming until you read and understand at least one of following papers:

--
Ilya Martynov, ilya@iponweb.net
CTO IPonWEB (UK) Ltd
Quality Perl Programming and Unix Support UK managed @ offshore prices - http://www.iponweb.net
Personal website - http://martynov.org

Replies are listed 'Best First'.
Re: Re: Re: Ping from HTML
by shotgunefx (Parson) on Jan 06, 2003 at 14:19 UTC
    First point++.
    On your second point, I wonder how neccassary it is to escape the output of the command. If someone has modified a system utility it's just as likely they could access the source of the CGI script as well...

    -Lee

    "To be civilized is to deny one's nature."
[reply]

      The problem is that attacker can modify ping's output without having direct access to this program. Example:

      ilya@juil:~$ ping www.aha.ru
PING distributed.zenon.net (195.2.91.103): 56 data bytes
     ^^^^^^^^^^^^^^^^^^^^^
64 bytes from 195.2.91.103: icmp_seq=0 ttl=120 time=69.3 ms
64 bytes from 195.2.91.103: icmp_seq=1 ttl=120 time=64.6 ms

      [download]

      Note that ping (at least its version on my Linux desktop) queries DNS to find canonic name of pinged host. Since attacker controls networking address of pinged computer and may potentialy control corresponding DNS server he can control this part of ping's output. In general if you use output of any networking program you must be extra careful about it. There are many ways how attacker can tamper it without having direct access to your computer.

      --
      Ilya Martynov, ilya@iponweb.net
      CTO IPonWEB (UK) Ltd
      Quality Perl Programming and Unix Support UK managed @ offshore prices - http://www.iponweb.net
      Personal website - http://martynov.org

[reply]
[d/l]
        Very good point. I did not think of that.

        -Lee

        "To be civilized is to deny one's nature."
[reply]

In Section Seekers of Perl Wisdom