Famous last words: "surely this CGI script is safe"
Kevin D. Clark
kclark at CetaceanNetworks.com
Mon Mar 31 17:40:25 EST 2003
Seth Gordon <sethg at ropine.com> writes:
> I've composed this CGI shell script as an example of backlink-tracing:
>
> [begin]
> #!/bin/bash
>
> echo "Content-type: text/plain"
> echo
>
> # If the linking page isn't in the referers file, add it.
> grep --quiet $HTTP_REFERER referers || echo $HTTP_REFERER >> referers
>
> echo
> echo "Links to this page have been followed from the following URLs:"
> echo
> cat referers
> [end]
>
> Other than filling up my partition with spurious URLs, is there any
> damage that a malicious outsider could do with this script?
Heh. Suppose you're running your HTTP server as root (unwise!) and I
set HTTP_REFERER to:
HTTP_REFERER="'^root:a' /etc/shadow"
...and then poll your handy list of "referers"? I could continue
probing this way for some time; in not very much time I could have
some interesting things from your /etc/shadow file.
If you're *not* running your HTTP server as root, perhaps there's some
other file on your system that I could guess the location of?
Something that you perhaps wouldn't want me to see?
Ignoring the "filling up on disk space" issue, you might want to do
something like this:
grep --quiet -- "$HTTP_REFERER" referers || echo "$HTTP_REFERER" >> referers
Another suggestion: coding this up in Perl, using Perl's Taint
module, will alert you to issues like this.
Be careful out there,
--kevin
--
Kevin D. Clark / Cetacean Networks / Portsmouth, N.H. (USA)
cetaceannetworks.com!kclark (GnuPG ID: B280F24E)
alumni.unh.edu!kdc
More information about the Discuss
mailing list