[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: jj cgi
From: Aleph One <aleph1 () dfw ! net>
Date: 1996-12-24 20:30:20
[Download RAW message or body]
jj.c is a demo cgi program. It passes unfiltered user input to
/bin/mail. You know what that means. Use ~ to escape to a shell, etc.
The segment of the code looks like:
if(allow) {
char t[256];
sprintf(t,"/bin/mail %s",JJ_FAX);
if(!(order=popen(t,"w")))
print_error("the server was unable to open a pipe to mail");
For allow to be true a password must be supplied. I have seen both
"HTTPdrocks" and "SDGROCKS" used as default in the source code. To make
matters more interesting it defined the following variable:
char w[256];
It then uses getword to fill it with user supplied data:
getword(w,cl,'=');
Get word is defined as:
void getword(char *word, char *line, char stop) {
int x = 0,y;
for(x=0;((line[x]) && (line[x] != stop));x++)
word[x] = line[x];
word[x] = '\0';
if(line[x]) ++x;
y=0;
while(line[y++] = line[x++]);
}
As you can see it does no bounds checking. Lucky for them that main
calls exit before returning or you would have a nice buffer overflow.
This code should be studied as an example of how NOT to write secure
programs.
Aleph One / aleph1@dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic