[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    jj cgi
From:       Aleph One <aleph1 () dfw ! net>
Date:       1996-12-24 20:30:20
[Download RAW message or body]

   jj.c is a demo cgi program. It passes unfiltered user input to
/bin/mail. You know what that means. Use ~ to escape to a shell, etc.
The segment of the code looks like:

    if(allow) {
        char t[256];
        sprintf(t,"/bin/mail %s",JJ_FAX);
        if(!(order=popen(t,"w")))
            print_error("the server was unable to open a pipe to mail");

   For allow to be true a password must be supplied. I have seen both
"HTTPdrocks" and "SDGROCKS" used as default in the source code. To make
matters more interesting it defined the following variable:

    char w[256];

   It then uses getword to fill it with user supplied data:

        getword(w,cl,'=');

   Get word is defined as:

void getword(char *word, char *line, char stop) {
    int x = 0,y;

    for(x=0;((line[x]) && (line[x] != stop));x++)
        word[x] = line[x];

    word[x] = '\0';
    if(line[x]) ++x;
    y=0;

    while(line[y++] = line[x++]);
}

   As you can see it does no bounds checking. Lucky for them that main
calls exit before returning or you would have a nice buffer overflow.
This code should be studied as an example of how NOT to write secure
programs.


Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

[prev in list] [next in list] [prev in thread] [next in thread]