HP3000-L Archives

October 1997, Week 1

HP3000-L@RAVEN.UTC.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: MPE commands via the web
From:
Mark Bixby <[log in to unmask]>
Reply To:
[log in to unmask]
Date:
Wed, 1 Oct 1997 10:07:10 -0700
Content-Type:
text/plain
Parts/Attachments:
text/plain (73 lines) 
Andreas Schmidt writes:
> I already have a little cgi-bin script on the HP3000 running the free NCSA
> web server (thanks Lars!) what executes out of a little form any MPE
> command (but some not ...;-).
>
> The only issue is: security!

This script has two bad features from a web security point of view:

1) It takes the approach of that which is not forbidden is allowed.  Clever
hackers could do bad things to your system with commands you haven't realized
are dangerous.  A safer philosophy is that which is not allowed is forbidden.
Safest of all would be to have your script only recognize your own
meta-commands like "displaystatus", etc, that your script would then map to the
appropriate MPE commands.

2) You're not removing all shell metacharacters from the command and
parameters immediately before any other processing.  By inserting the proper
malicious shell metacharacters into the QUERY_STRING, I can probably execute
any MPE or sh command that I want to and you won't be able to stop me unless
you have removed these metacharacters prior to processing.  These
metacharacters offer much shell programming power, but do represent a major
security hole on many web sites.

> #!/bin/sh
>
> echo "Content-type: text/html\n"
>
> # QUERY_STRING contains: command=.1.+.2. (if a blank is inserted)
> # The awk splits into [1]command, [2].1.{+.2.}
> MPE_ALL=`echo $QUERY_STRING|awk '{split($1,arr,"=");print arr[2]}'`
>
> # This awk splits into [1].1. [2].2.
> MPE_COMMAND=`echo $MPE_ALL|awk '{split($1,arr,"+");print arr[1]}'`
>
> # Now we perform a second awk for .2. if present, gives
> # [1]command=.1., [2].2.
> MPE_COM_PRM=`echo $QUERY_STRING|awk '{split($1,arr,"+");print arr[2]}'`
>
> # Now we create parameters to avoid destructive commands
> # NO_1,2: PUrge, NO_3,4: ABort...
> NO_1=`echo $MPE_COMMAND|cut -b 1-2`
> NO_2=`echo $MPE_COM_PRM|cut -b 1-2`
> NO_3=`echo $MPE_COMMAND|cut -b 1-2`
> NO_4=`echo $MPE_COM_PRM|cut -b 1-2`
>
> echo "<HTML><HEAD><TITLE>HP3000: MPE/iX Command execution</TITLE></HEAD>"
> echo "<BODY background="../matchy.gif" bgcolor="#ffffff">"
> echo "<H1>You requested the execution of:</H1>"
> echo "<FONT size=+2><B><I>$MPE_COMMAND $MPE_COM_PRM</I></B></FONT>"
> echo "<H4>The result is:</H4><PRE>"
> echo "<HR SIZE=1>"
> echo "<B>"
>
> if [ "$NO_1" = "PU" -o "$NO_1" = "pu" -o \
> "$NO_2" = "PU" -o "$NO_2" = "pu" -o \
> "$NO_3" = "AB" -o "$NO_3" = "ab" -o \
> "$NO_4" = "AB" -o "$NO_4" = "ab" ]
> then
>    echo "<IMG src="../faust.gif" alt="[gotcha]">"
> else
>    callci $MPE_COMMAND $MPE_COM_PRM
>
> fi
>
> echo "</PRE></B><HR SIZE=1></BODY></HTML>"
--
Mark Bixby                      E-mail: [log in to unmask]
Coast Community College Dist.   Web: http://www.cccd.edu/~markb/
District Information Services   1370 Adams Ave, Costa Mesa, CA, USA 92626-5429
Technical Support               +1 714 438-4647
"You can tune a file system, but you can't tune a fish." - tunefs(1M)

ATOM RSS1 RSS2