Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Famous last words: "surely this CGI script is safe"

Seth Gordon <sethg at> writes:

> I've composed this CGI shell script as an example of backlink-tracing:
> [begin]
> #!/bin/bash
> echo "Content-type: text/plain"
> echo
> # If the linking page isn't in the referers file, add it.
> grep --quiet $HTTP_REFERER referers || echo $HTTP_REFERER >> referers
> echo
> echo "Links to this page have been followed from the following URLs:"
> echo
> cat referers
> [end]
> Other than filling up my partition with spurious URLs, is there any
> damage that a malicious outsider could do with this script?

Heh.  Suppose you're running your HTTP server as root (unwise!) and I

   HTTP_REFERER="'^root:a' /etc/shadow"

...and then poll your handy list of "referers"?  I could continue
probing this way for some time; in not very much time I could have
some interesting things from your /etc/shadow file.

If you're *not* running your HTTP server as root, perhaps there's some
other file on your system that I could guess the location of?
Something that you perhaps wouldn't want me to see?

Ignoring the "filling up on disk space" issue, you might want to do
something like this:

grep --quiet -- "$HTTP_REFERER" referers || echo "$HTTP_REFERER" >> referers

Another suggestion:  coding this up in Perl, using Perl's Taint
module, will alert you to issues like this.

Be careful out there,

Kevin D. Clark / Cetacean Networks / Portsmouth, N.H. (USA)!kclark (GnuPG ID: B280F24E)!kdc

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /