Date: Sun, 6 May 2001 15:13:17 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Anthony Rubin <arubin@concentric.net> Cc: Kris Kennaway <kris@obsecurity.org>, security-officer@FreeBSD.org, www@FreeBSD.org Subject: Re: Attack on dosendpr.cgi Message-ID: <20010506151317.G98841@xor.obsecurity.org> In-Reply-To: <000f01c0d66d$f6b8cf20$6400000a@violentmonkey.org>; from arubin@concentric.net on Sun, May 06, 2001 at 03:48:54PM -0500 References: <20010506013753.A51338@xor.obsecurity.org> <000f01c0d66d$f6b8cf20$6400000a@violentmonkey.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--zGQnqpIoxlsbsOfg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, May 06, 2001 at 03:48:54PM -0500, Anthony Rubin wrote: > dosendpr.cgi uses html.pl to parse it's input, which will allow any metho= d, > but from looking at the code it probably won't function correctly for > anything other than GET or POST. Basically it checks if the method is GET > and if so parses the environmental variable QUERY_STRING, otherwise it re= ads > from STDIN without checking the method. This should work fine for POST, = but > I'm not sure offhand what will happen with various other methods. It > populates a hash named %cgi_data with the data and stores the method in a > scalar named $cgi_method. >=20 > You could modify dosendpr.cgi to check $cgi_method, but it would be trivi= al > to write a perl script to submit the form multiple times using POST. I > don't have a suggestion at this time for the best solution for this probl= em. Yes, but you couldn't embed it in a URL which people would mistakenly click on. That was the problem here -- other forms of abuse aren't so important (people can always go nuts with send-pr(8) or manually click on the submit button, etc). > I would also like to point out that I have found no less than 4 different > ways in which the CGI scripts are parsing their input: >=20 > html.pl > cgi-lib.pl > CGI.pm > (processing the input in the script itself) Thanks for the analysis -- now we just need someone to go through and fix this :-) Kris --zGQnqpIoxlsbsOfg Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.5 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE69cx8Wry0BWjoQKURAqNeAJ40KmyqCQTp+/boyfiltE6pm9RoeQCfZ8Vj YY+HM4KTCYf17/0XzWcy03Y= =LbT7 -----END PGP SIGNATURE----- --zGQnqpIoxlsbsOfg-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-www" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010506151317.G98841>