SECURITY HOLE: "Guestbook"

• Subject: SECURITY HOLE: "Guestbook"
• From: Paul Phillips <paulp@cerf.net>
• Date: Wed, 2 Aug 1995 22:04:32 -0700
• Cc: www-security@ns2.rutgers.edu, www-managers@lists.Stanford.EDU, bugtraq@fc.net
• Followup-To: comp.infosystems.www.authoring.cgi
• Newsgroups: comp.infosystems.www.authoring.cgi, comp.infosystems.www.authoring.htm, comp.infosystems.www.providers, comp.security.unix, alt.security, comp.lang.perl.misc
• Organization: http://www.primus.com/staff/paulp/useless.htm

The version of "Guestbook" available at
<URL:http://alpha.pr1.k12.co.us/~mattw/scripts/guestbook.htm>
allows execution of arbitrary commands under the server UID.
If this sounds familiar, it should: it's the third security
hole of this nature I've found in two days.  I'm posting this one
more widely in the hope that it will inspire people to be more 
careful when writing CGI scripts for public consumption, and because 
this one is in very wide use.

It's the same old story -- forks a shell and sends off user 
supplied form data without checking it at all.  In my probes
I'm also finding sites running their webservers as root...
BAD BAD.  DON'T DO THIS.

Followups to comp.infosystems.www.authoring.cgi, please.

--
Paul Phillips                                 | "Click _here_ if you do not
<URL:mailto:paulp@cerf.net>                   |  have a graphical browser"
<URL:http://www.primus.com/staff/paulp/>      |  -- Canter and Siegel, on
<URL:pots://+1-619-220-0850/is/paul/there?>   |  their short-lived web site

• Previous: SECURITY HOLE: FormMail
• Next: (no subject)
• Index(es):
  • Index
  • Thread