Famous last words: "surely this CGI script is safe"

Scott Prive scottprive at earthlink.net
Mon Mar 31 18:04:02 EST 2003


1) You accept a string, from HTTP_REFERRER.
2) You take that string, and use it as part of two bash commands.

This doesn't look very safe. :-)

Properly-escaped $HTTP_REFERER string could confuse the bash code enough
that your script can overwrite local files. Or maybe read and pipe data you
don't want it to (/etc/passwd, your .bash_history, etc.). Nothing here
prevents an overflow string (say, a 2000 byte HTTP_REFER) from occuring. You
could break this right now by sending a HTTP_REFERER that contains a space.
It wouldn't matter to your script if spaces aren't "allowed" in REFERER
strings...

I'd suggest avoiding bash altogether because it has weak security and weak
string management. Perl (also PHP) is no magic bullet, but there's a lot
more reference material for securing Perl scripts. Take a look on
Freshmeat.net for some referrer loggers, etc., and see if there are any
safeguards you could copy.

If I were a little better at security (or had more time) I'd reply with an
example script that Does Bad Things, so take this with a grain of salt..

-Scott

----- Original Message -----
From: "Seth Gordon" <sethg at ropine.com>
To: <discuss at blu.org>
Sent: Monday, March 31, 2003 4:45 PM
Subject: Famous last words: "surely this CGI script is safe"


> I've composed this CGI shell script as an example of backlink-tracing:
>
> [begin]
> #!/bin/bash
>
> echo "Content-type: text/plain"
> echo
>
> # If the linking page isn't in the referers file, add it.
> grep --quiet $HTTP_REFERER referers || echo $HTTP_REFERER >> referers
>
> echo
> echo "Links to this page have been followed from the following URLs:"
> echo
> cat referers
> [end]
>
> Other than filling up my partition with spurious URLs, is there any
> damage that a malicious outsider could do with this script?
>
> --
> "Your labour is only worth something to the extent that it saves someone
> else having to do it."  --Paul Foley
> // seth gordon // sethg at ropine.com // http://ropine.com/sethg/cv.html //
>
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss




More information about the Discuss mailing list