![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: "Philip Turner" <p.turner@newman.ac.uk>
To: <bugtraq@securityfocus.com>
Subject: Re: PHP script: Penguin Traceroute, Remote Command Execution
Date: Fri, 22 Mar 2002 08:52:17 -0000
On 21 Mar 2002 at 14:16, paul jenkins wrote:
> /* ------------------------------ *
> * --------Security Freaks------- *
> * ----www.securityfreaks.com---- *
> * ------------------------------ */
>
>
> Info
> ====
> Software: Penguin Traceroute
> Website: http://www.linux-directory.com/scripts/traceroute.shtml
> Versions: 1.0
> Platforms: Linux
> Vulnerability Type: Remote Command Execution
>
>
> Details
> =======
> Penguin Traceroute is a perl script that does traceroute. This is another
> script where the author forgets to parse the input for any ; | characters
> and anyone user is able to execute anything he wants with the same
> permitions as apache. Example: "127.0.0.1;cat /www/secure/.htpasswd"
> and there goes the passwords, or if the user apache has write access
> "127.0.0.1;echo I iz 1337>index.html".
>
>
> Fix
> ===
> Open up the perl script in your favorite text editor, find a line that has
> "$host = $q->param('host');" Its usually the 13th line down then just add
> this line "$host =~ s/[;<>\*\|'&\$!?#\(\)\[\]\{\}:'"\\]//g;" under it and
Shouldn't this be "$host =~ s/[^0-9A-Za-z.-]//g;" on the basis
that accepting known good is safer than rejecting known bad?
> that should parse out any unwanted characters.
>
>
>
>
--
Phil Turner