I think a little background is in order. Nik came onto EFnet #Perlhelp as Apost asking for help with his code. Originally all he had was an open call that took a filename from user input, i.e. open(FILE, "<../some/dir/$user_input"). He was told that was a security hole, but he didn't believe it was. He was then shown it was a security hole when someone gave him a URL that caused the script to read /etc/passwd.

As the discussion went on someone mentioned any arbitrary program could be run. This, of course, was false, and the person was corrected. However, Apost became curious, and asked how his code could possibly run an external program. He was told that if he removed the leading "<" in his open call then anyone could supply a command if they did it just right.

Yes, he explicitly changed his code to allow for an even bigger security hole, after he was told it was a security hole and what it would allow.

The full log of the conversation can be found here.

I'd also like to point out that xmath used the exploit to remove execute permissions from the script to prevent any incidents, but at a later point the script was re-activated by this thread's creator in spite of numerous explicit warnings against doing so before fixing the exploit.

Normally such incidents are considered a gimme when providing web services to users, but if ever a case existed where a user should be held responsible for such negligence it would be this one.

Nik: Are you responsible? Yes. Are you liable for any damages? Probably not, which, judging from your demeanor in the channel, is probably your only real concern.


Roses are red, violets are blue. All my base, are belong to you.

You know what else, here on perlmonks Nik has been told several times to use tainting and to read perlsec.

And on the Devshed Forums where I'm a moderator I've told him to figure out tainting too. I don't know what the resistance is here. . .

-Any sufficiently advanced technology is
indistinguishable from doubletalk.

My Biz

Thanks Somni ... I was thinking the

'Λόγος Ψυχωφελής και Θαυμάσιος => '
[download]

Was some sort of binary code that was getting executed. What the heck is 'Λόγος Ψυχωφελής και Θαυμάσιος => ' anyways?

It's greek. The cgi was part of a greek website, hence.

They used a security hole of an open command at index.pl this to be exact.

Should i have to be considered responsible for such an action?

Next time, use tainting.

Abigail

The company's mistake was allowing a 'newbie' to place scripts on their site. However, site policy was only the weapon. You put the bullet in it and handed it to the criminal to pull the trigger.

Give us a break. You have been warned many times here and other places to pay attention to security issues.

It is your fault for exposing a company's servers to a security breech through a hole in a script you wrote and placed on their server. Ignorance isn't bliss, nor is it an excuse.

I disagree. See my post for why.

The company's mistake was allowing a 'newbie' to place scripts on their site.

Yes

However, site policy was only the weapon.

Not in the sense that you mean. Good operating systems have the ability to limit badly behaving users so they don't take down the system. If I were handing out accounts to unknowns, I'd expect to have to harden the system appropriately. This is 'system policy' the way sysadmins think about it. You're probably referring to 'written policy', which is usually worth the paper it's printed on.

You put the bullet in it and handed it to the criminal to pull the trigger.

Please don't use violent metaphors, there are plenty of better ones to choose from. Like sexual metaphors. Gets the point across, but is a happier thought.

____________________
Jeremy
I didn't believe in evil until I dated it.

Please don't use violent metaphors, there are plenty of better ones to choose from. Like sexual metaphors. Gets the point across, but is a happier thought.

*uproarious laughter* I prefer lite-beer metaphors. Less filling, Tastes great.

I beleive not mine because i am a newbie user and i cant know whether or not my website has security flaws or holes (at the moment i just want my webpage to work), security is not my conecrn now. I beleive the company should have imagined that might these could happened and prevent them

First of all, you better believe it is your responsibility! Your lack of skill is no excuse for putting flawed code on a website. You should have bothered to read and educate yourself on safe CGI coding practices. You should have bothered to use Safe and taint mode and scrutinized the data input into your script.

The "I didn't know any better" excuse is tired and lame. It's the same excuse used by the people at the office who get infected with viruses over and over. "I didn't know I shouldn't open attachments in strange emails sent to me which promise nude pictures of Britney..."

Now, the company could have done a few things to make the environment you were allowed to execute your scripts in a little safer. But any company that allows any random n00b to install CGIs on their server is "a little whacked". However, that doesn't absolve you of need to code responsibly.

And one more thing. I find the comment "security is not my concern" appalling! It sure is your concern. You and every other person who posts crappy code on that website. Otherwise you can look forward to LOTS more downtime.

Later

I'm not quite following how they 'hacked in' though. What's that code you posted? Were you running code submitted to a webpage or something? You sure had it coming if you did.

I'm getting DNS errors trying to get to the site you mentioned. That doesn't necessarily mean the webserver has been hacked, but probably something is wrong with their systems.

And a quick update, clarifying the first paragraph. It's the sysadmin's job to protect users from themselves. Sometimes the sysadmin is unable to protect the system from the boneheaded users. However ultimately the sysadmin decides who gets to run what, with what priority and how much system resources they may use.

If they flub this, or if the OS contains a compromise, then it gets filed under "shit happens", they pull the backup tapes off the rack, and life goes on.

That code as written allows anyone to run arbitrary programs. $file was supplied by the user and given to two-arg open which when the filename ends in a pipe symbol is interpreted as a shell command to run.

update: This post works a lot better as a reply to pzbagel, which is where it should be... except that I clicked the wrong link. My bad.

The system should have been protected by privilege separation. This guys account gets hacked, the hackers muck around... the sysadmin deletes the account. No worries.

Except it didn't work that way, this time. I can't even figure out from the parent post what actually happened. Perhaps a lightning strike took out the server room just as he realised his mistake?

____________________
Jeremy
I didn't believe in evil until I dated it.

It's your fault and its "the company's" fault and its the sum'bitch who broke into the server's fault.

But look on the bright side... if you are, in fact, a newbie and an aspiring developer, then you've learned a very important lesson early on - that Security Matters, and it matters a lot.

Accept responsiblity for your part in this fiasco, and forgive yourself for it as you begin your new policy of always using taint mode for CGIs and always validating input from external sources.

There are plenty of free tutorials and articles here on perlmonks and on other sites on securing applications.

is the Compnay to blame for not should and could secure better their server?

If one of my dogs bites the hand of a child provoking it then I'm to blame because it is my dog and wheather the parent wants to accept it or not the parent is responsible for the child's actions.

Likewise you put some code out there in the wild and it bit someone. You are repsonsible for what your code did.

It might well be in the "company's" best interests to better secure their servers and not letting you upload un-verified CGI to their servers may be a futre step they may opt to take.

It made me laugh, so I'll pay it.

After reading that conversation, it looks like the parent poster is one of those whiney guys who deliberately makes a mess and then blames the people nearby for not stopping him. There's not much anyone else can do in that situation.

____________________
Jeremy
I didn't believe in evil until I dated it.

After reading Somni node above It seems to me that Nik knew his code was vunerlable and even purposely made his cgi more dangerous.

An IRC network. Great refuage of script kiddies and other miscreants on the Internet.