Bug#47708: Serious security holes result from failure to quote variables

To: submit@bugs.debian.org
Subject: Bug#47708: Serious security holes result from failure to quote variables
From: Mike Bilow <mikebw@colossus.bilow.com>
Date: Mon, 18 Oct 1999 02:52:40 -0400 (EDT)
Message-id: <[🔎] Pine.LNX.3.96.991018021453.18450Q-100000@colossus.bilow.com>
Reply-to: Mike Bilow <mikebw@colossus.bilow.com>, 47708@bugs.debian.org

Package: cgi-scripts
Version: 1.0.9
Severity: grave

Several example scripts in the 'cgi-scripts' package pass information
supplied by the remote user via unquoted strings.  The failure to quote
these strings introduces a severe potential vulnerability.  Although some
web servers may provide some first-line protection against glaring
exploits of this situation, none provide truly secure protection for this.

The worst case scenario is that arbitrary information could be passed to
the shell running with the privileges of the user (or pseudo-user) who
owns the web server process.  That could allow compromises of the 'cat
/etc/passwd' sort, and could conceivably allow a remote user to gain
information about directory structures and other sensitive information on
the filesystem outside the document root.  If there are suid programs on
the local filesystem, these could conceivably be executed on behalf of the
remote user through the web server.

For example, the 'calendar' utility passes the '$*' variable unquoted as
the argument to the 'cal' program, and the 'nph-test-cgi' utility passes
'$QUERY_STRING' and several other such critical variables unquoted.  If
the remote user is able to insert certain dangerous special characters
which have significance to the shell, such as backquote, semicolon,
asterisk, and so on, then serious security compromises are possible.  The
exact extent of the vulnerability and ease of exploitation depends upon
the configuration of the particular web server.

There are no cases in which it is desirable to leave strings unquoted.

Note that this issue affects both 1.0.10 (potato/unstable) and 1.0.9
(slink/stable).  Although some of these issues were corrected in 1.0.10,
such as the 'nph-test-cgi' problem, some remain, such as the 'calendar'
problem.  Regardless, the security problems here in combination with low
probability of consequent bug propagation in this situation warrant a
correction to the stable tree in addition to the unstable tree.

-- Mike

Reply to:

Prev by Date: Do you need help?
Next by Date: Bug#47709: Some scripts way, way out of date
Previous by thread: Do you need help?
Next by thread: Bug#47709: Some scripts way, way out of date
Index(es):
- Date
- Thread