Introduction to the Apache Web Server - ApacheCon
Introduction to the Apache Web Server - ApacheCon
Introduction to the Apache Web Server - ApacheCon
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
19.5.1 CGI exploit example - trusting form input<br />
One of <strong>the</strong> most common CGI exploit categories involved accepting data from HTML forms and trusting<br />
it. Remember that <strong>the</strong> user cannot be trusted. Like your mo<strong>the</strong>r always <strong>to</strong>ld you, don’t put that in your<br />
command, you don’t know where it’s been.<br />
Consider <strong>the</strong> following scenario. You have a form on your web site, which allows users <strong>to</strong> send you feedback<br />
email. Within your CGI code is something like <strong>the</strong> following:<br />
open MAIL, "|/usr/bin/sendmail -s $FORM’subject’ $FORM’<strong>to</strong>’";<br />
print MAIL $FORM’body’;<br />
print MAIL "\n\n.\n\n";<br />
close MAIL;<br />
Looks pretty straightforward. Data comes in from <strong>the</strong> form fields subject, <strong>to</strong>, and body, and this gets<br />
passed off <strong>to</strong> sendmail, which delivers <strong>the</strong> email. Email is composed <strong>to</strong> <strong>the</strong> address in <strong>to</strong> with a subject line<br />
of subject and a body of body, all specified in <strong>the</strong> form.<br />
There are two problems here.<br />
The first is that a clever (or not-so-clever, really) spammer can use this form <strong>to</strong> send as many email messages<br />
as <strong>the</strong>y want, <strong>to</strong> whomever <strong>the</strong>y want, by posting data <strong>to</strong> your CGI program. Since that email will come<br />
from your server, you will appear <strong>to</strong> be responsible for that email.<br />
The second problem is a little more subtle, and much more dangerous. It has <strong>to</strong> do with <strong>the</strong> awful way that<br />
<strong>the</strong> code here is calling sendmail. Ra<strong>the</strong>r than using a module/library <strong>to</strong> send <strong>the</strong> email, it is calling <strong>the</strong><br />
system executable, and passing arguments <strong>to</strong> it. This is universally a bad idea, because it allows a clever<br />
person <strong>to</strong> circumvent your command line and insert <strong>the</strong>ir own.<br />
Consider, for example, if I enter in<strong>to</strong> <strong>the</strong> form field <strong>to</strong> <strong>the</strong> value:<br />
bob@foo.com ; rm -rf /<br />
The first part of this is an email address. Great. But <strong>the</strong>n I have <strong>the</strong> character ;, which terminates <strong>the</strong><br />
command and starts a new one. At a regular command line, <strong>the</strong> ; character allows you <strong>to</strong> type multiple<br />
commands in <strong>the</strong> same line. Since your code is calling <strong>the</strong> command line, <strong>the</strong> same rules apply. So putting<br />
this in <strong>the</strong> form field will cause <strong>the</strong> sendmail command <strong>to</strong> be abandoned, and my o<strong>the</strong>r command <strong>to</strong> be<br />
executed, recursing through <strong>the</strong> entire file system deleting any file that I happen <strong>to</strong> have access <strong>to</strong>.<br />
Fortunately for <strong>the</strong> hackers, <strong>the</strong>re are several ra<strong>the</strong>r popular (read: widely installed) CGI programs that do<br />
exactly that, and so all that <strong>the</strong>y need <strong>to</strong> do is write scripts that attempt <strong>to</strong> put <strong>the</strong>se sorts of arguments<br />
in<strong>to</strong> web forms and see if <strong>the</strong>y can do anything.<br />
19.5.2 CGI exploit example - hidden form fields<br />
Hidden form fields are not hidden. This is ano<strong>the</strong>r example of cosmetic security.<br />
* Hidden form fields are not hidden.<br />
121