"Cthulhu xhAze" - Command execution in Ans.pl

2002-02-21T00:00:00
ID SECURITYVULNS:DOC:2527
Type securityvulns
Reporter Securityvulns
Modified 2002-02-21T00:00:00

Description

!/exploit/by/b0iler

script name: Ans.PL

Primary author of script: Avenger

script url: http://ans.gq.nu/

"Avenger's News System (ANS) is a PERL-based solution to creating an easy-to-update and easy-to-maintain web site. Instead of constantly uploading new news pages and wrestling with HTML, you can post stuff via a web-based form."

The variable $QUERY is defined in the config file as: <define QUERY>"$ENV{'QUERY_STRING'}"

When the script is ran it checks for a post, then it checks for a plugin.
The problem is in the plugin subroutine:

if (substr($QUERY, 0, 2) eq "p=") { $plugin = substr((split /&/, $QUERY)[0], 2); if (index("$QUERY", "&") < 0) { $QUERY = ""; } else { $QUERY = substr($QUERY, index("$QUERY", "&")+1); }

open &#40;PLUGIN, &quot;$FILE_LOCATION/$plugin&quot;&#41;;
@plugin = &lt;PLUGIN&gt;;
close &#40;PLUGIN&#41;;

eval&#40;&quot;@plugin&quot;&#41;;
exit;

}

No input filtering is done on user input so command execution is possible.

Exploit: ans.pl?p=../../../../bin/command argument|&blah

Fix: Filter meta characters, .., and use < << > >> when calling open().

replace above code with this:

if (substr($QUERY, 0, 2) eq "p="){ $QUERY =~ s/([\&;\`'\\\|"*?~<>^\(\)\[\]\{\}\$\n\r])/\\$1/g; #filter meta characters $QUERY =~ s/\.\.//g; #filter double dot (..) $plugin = substr((split /&/, $QUERY)[0], 2); if (index("$QUERY", "&") < 0) { $QUERY = ""; } else { $QUERY = substr($QUERY, index("$QUERY", "&")+1); }

    open &#40;PLUGIN, &quot;&lt;$FILE_LOCATION/$plugin&quot;&#41;;  #added a &lt; to the open&#40;&#41; -

readonly @plugin = <PLUGIN>; close (PLUGIN);

    eval&#40;&quot;@plugin&quot;&#41;;
    exit;

}

I attempted to contact the author on 2/1/02 but they haven't responded.


Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.