Famous last words: "surely this CGI script is safe"

[kclark at CetaceanNetworks.com (Kevin D. Clark)]

Seth Gordon <sethg at ropine.com> writes:

> I've composed this CGI shell script as an example of backlink-tracing:
> 
> [begin]
> #!/bin/bash
> 
> echo "Content-type: text/plain"
> echo
> 
> # If the linking page isn't in the referers file, add it.
> grep --quiet $HTTP_REFERER referers || echo $HTTP_REFERER >> referers
> 
> echo
> echo "Links to this page have been followed from the following URLs:"
> echo
> cat referers
> [end]
> 
> Other than filling up my partition with spurious URLs, is there any
> damage that a malicious outsider could do with this script?

Heh.  Suppose you're running your HTTP server as root (unwise!) and I
set HTTP_REFERER to:

   HTTP_REFERER="'^root:a' /etc/shadow"

...and then poll your handy list of "referers"?  I could continue
probing this way for some time; in not very much time I could have
some interesting things from your /etc/shadow file.

If you're *not* running your HTTP server as root, perhaps there's some
other file on your system that I could guess the location of?
Something that you perhaps wouldn't want me to see?

Ignoring the "filling up on disk space" issue, you might want to do
something like this:

grep --quiet -- "$HTTP_REFERER" referers || echo "$HTTP_REFERER" >> referers

Another suggestion:  coding this up in Perl, using Perl's Taint
module, will alert you to issues like this.

Be careful out there,

--kevin
-- 
Kevin D. Clark / Cetacean Networks / Portsmouth, N.H. (USA)
cetaceannetworks.com!kclark (GnuPG ID: B280F24E)
alumni.unh.edu!kdc