Take a look at the code in this node. Since it didn't have taint checking (amongst many other problems), I was rather concerned about it. A quick review of this code revealed the following line of code. Where does the filename come from?

open(IN, "$filepath/$siteinfo[1]");
[download]

It appears to come from here (near the start of the program):

$query_string = $ENV{'QUERY_STRING'};
@search      = split(/&/,$query_string);
@info      = split(/=/, $search[0]);
@siteinfo      = split(/-/, $info[1]);
[download]

Guess what the following URL does (assuming it's pointing to that CGI script):

http://www.somehost.com/path/to/script/badscript.cgi?name=x-/bin/ls|
[download]

If we use that code with that URL, we have /bin/ls| in the filename to be opened. That trailing pipe causes /bin/ls to be executed instead of opened.

Well, that's interesting.

I can now execute any executable on the server that the the script would have rights to run. Needless to say, there is a security issue here and it's a whopper. For all those monks out there who don't take this seriously (and I see a lot of them), pay attention!!!!

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just go the the link and check out our stats.