HTTP_REFERER, possible vulnerability

HTTP_REFERER, possible vulnerability

Post by robe » Tue, 27 Feb 1996 04:00:00



I've posted a similar message like this some time ago, but I'll repeat
it again since I've been confronted with it again myself:
using the HTTP_REFERER variable (a variable made available to
cgi-scripts by many httpd's) in shell-scripts must be done with extreme
caution.

It is very easy to 'make' a HTTP_REFERER containing commands and
characters which are interpreted by the shell parsing it. If no special
care is taken to prevent this, a site can be vulnerable to certain *
attacks.

To see how easy it is to play around with this:
$ telnet some.site 80
Connected to some.site.
Escape character is '^]'.
-GET /~some_dir/vulnerable.script HTTP/1.0
-Referer:"`/bin/rm -fr /`"
-<ENTER>
...
Connection closed.
$

Lines starting with '-' are entered by the hacker.
If vulnerable.script contains something like 'if [ $HTTP_REFERER ]..',
you might be in trouble.

                                                                robert

 
 
 

HTTP_REFERER, possible vulnerability

Post by J.M. Ivl » Fri, 01 Mar 1996 04:00:00


: > it again since I've been confronted with it again myself:
: > using the HTTP_REFERER variable (a variable made available to
: > cgi-scripts by many httpd's) in shell-scripts must be done with extreme
: > caution.
:
: Which holds true for all the other HTTP_ variables passed to a CGI
: script, too. And it shows again an old and painfully-learned rule:
: Don't pass anything to a (sub)shell that you got from over the
: network.

Or, as Tom Christensen writes often.... DON'T USE SHELL FOR CGI.

Try Tcl (which would require an [exec] to operate a command at the
command/shell level) or Perl, or C or any language which doesn't operate at
the shell level.

jmi

 
 
 

1. possible vulnerability in ipsec (AIX 4.3.3)

Hi folks,

I played around a bit with ipsec on two RS/6000. I made a tunnel from
one to the other. After some days, I saw in /etc/passwd (last line)

ipsec:*:238:1::/etc/ipsec:/usr/bin/ksh

Now the machines are NIS clients, and ipsec seem to have created a new
user on the two machines with the first free UID > 200.

The key files and other ipsec stuff resides under /etc/ipsec and is
owned by the user ipsec!

If now on the NIS server a new user is added, too, it will also get
the same UID! This new user can login to the machines with ipsec
installed and cd to /etc/ipsec, manipulating all key files.

Does anybody know how to report such a bug to IBM?

Have fun,

     Fred
--
Fred Hucht, Institute of Theoretical Physics, University of Duisburg, Germany

"Der Koerper der algebraischen Zahlen ist kein algebraischer Zahlkoerper"
(E. Landau, Zahlentheorie (1927), Satz 718)

2. Problem using 64M of RAM

3. IBM-ERS Security Vulnerability Alert: AIX V3 rmail vulnerability

4. Linux and pci ne2000 cards??

5. BoS: (fwd) IBM-ERS Security Vulnerability Alert: AIX V3 rmail vulnerability

6. Non-SCSI tape backups?

7. Apache 1.0.2, Linux and HTTP_REFERER????

8. rh7.3 MASQUERADE problem

9. Restricting from HTTP_REFERER variable

10. No HTTP_REFERER on my ISPs Roxen - why?

11. HTTP_REFERER

12. Apache & HTTP_REFERER

13. Access control by HTTP_REFERER?