perl/cgi exploit with bracketed module names passed in as CGI param

S

shumsta

Hi, I recently observed some interesting hacking attempts at a site I
am working on. I haven't been able to find any info about this as a
documented exploit, though surely it has been identified.

Can anyone tell me or point me to info regarding exploiting a server by
passing in module names to a cgi script? This seems to work when the
cgi script prints the raw cgi param value back out, though I'm not sure
I understand why.

For example suppose script myhack.cgi takes an argument named
"username" and prints it to the screen in the case of an invalid
password using "print "bad username $username" if !$valid{$username};

then if you call the script using:

/cgi-bin/myhack.cgi?username=[CGI::Carp::realwarn]

you get an error like this:

Error in maketexting "bad username [CGI::Carp::realwarn]":
Can't locate object method "realwarn" via package "CGI::Carp" (perhaps
you forgot to load "CGI::Carp"?)
in bracket code [compiled line 2], as used at /mycode.pm line 1137


Anyone seen this before?

Thanks
 
F

Fabian Pilkowski

* shumsta said:
Hi, I recently observed some interesting hacking attempts at a site I
am working on. I haven't been able to find any info about this as a
documented exploit, though surely it has been identified.

Can anyone tell me or point me to info regarding exploiting a server by
passing in module names to a cgi script? This seems to work when the
cgi script prints the raw cgi param value back out, though I'm not sure
I understand why.

For example suppose script myhack.cgi takes an argument named
"username" and prints it to the screen in the case of an invalid
password using "print "bad username $username" if !$valid{$username};

Please, try to provide a small script to reproduce this. I can't. While
trying what you described, I produces this script:

#!/usr/bin/perl -w
use strict;
use CGI;
use CGI::Carp qw( fatalsToBrowser );
my $username = CGI::param('username');
print CGI::header();
print "welcome, $username" if $username;
__END__
then if you call the script using:

/cgi-bin/myhack.cgi?username=[CGI::Carp::realwarn]

It is working as intended, without errors.
you get an error like this:

Error in maketexting "bad username [CGI::Carp::realwarn]":
Can't locate object method "realwarn" via package "CGI::Carp" (perhaps
you forgot to load "CGI::Carp"?)
in bracket code [compiled line 2], as used at /mycode.pm line 1137

The words "in bracket code" indicate that you're using a template system
which allows to evaluate a string inside of brackets, do you?

OTOH the word "maketexting" is a sign of using Locale::Maketext. Seems,
you put your CGI-parameters into a string and run that string through
maketext(). Thus everyone could call Perl functions by passing special
parameters to your CGI script. In this case you have to choices:

* verify that your CGI-parameters don't contain brackets
* call maketext() before putting your params into that string

I would prefer the second. In your example of a username it is not
neccessary to localize/translate the given username.

This is no bug in Perl/CGI, this is a special behavior when working with
*localization* (esp. with Locale::Maketext). You have to pay attention
on this whenever you localize your websites.

regards,
fabian
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top