Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Onesphorf hass (onesphorfyahoo.se)
Date: Thu Jan 24 2002 - 08:30:10 CST
I have found a new method of CGI exploitation. I have
3 bugs in commonly used CGIs. Since I am working with
authors now, proof of concept exploits will not be
released before patches and updates are done. However,
I have written a Security paper to share with the
Feedback is wanted, I don't consider it done yet :)
CGI THREAT: Malicious data injection
into Perl modules.
05. Conclusion and Thanks
Most websites today gives the user the ability to
and return output based on the input. The ability to
dynamic web-pages is often thanks to CGI scripts. This
for more interesting surfing (port surf's up, btw!),
I will demonstrate in this article it can also help an
attacker exploit your website.
02. Type of Threats
The specific threat that I will discuss in this
is the ability to inject commands into Perl modules
by the CGI application itself. If we can trick the CGI
script to add code into the module, chances are that
will be able to execute commands.
(name of CGI script is taken away, since I haven't
notified vendor yet)
% nc localhost 80
GET /cgi-bin/xXXx.pl?user=0nesphorf;'touch /tmp/test'
HTTP/1.1 500 Internal Server Error
Date: Wed, 23 Jan 2002 22:47:59 GMT
Content-Type: text/html; charset=iso-8859-1
% ls /tmp/test
What I did was to include a command with backticks in
that the CGI did not expect, which fooled it into
writing the data
into the CGI.pm module, which also made it execute the
due to the backticks which has a special meaning to
This trick may or may not be used on CGIs written
in a different
language than Perl, but i have not tested that yet.
Will research that
in the future.
It is very important to keep in mind when writing
CGI scripts, that
the user using the CGI script has full control over
the input, and
is not at all limited by for example HTML forms. It is
the CGI scripts
job to make sure that the input is sane.
05. Conclusion and Thanks.
I have demonstrated yet another method to fool
CGI-scripts, by giving
a sort of user-input which the script did not expect
in that context.
Let's learn from this, shall we.
Thanks to Zenomorph for teaching me all I know about
trough his technical papers.
Written in Decemeber 2001 - Public not until January
www.cgi-expertise.org - not yet up, be patient
från 500 olika skidorter i Europa