Re: WEB SECURITY: fyi!!
With respect to the dreadfully OLD phf problem, I've implemented a
"unique" solution. Here's what I use in place of the old phf... It gives
fun replies to "id", "uname" and "passwd" (as in /bin/cat%20/etc/passwd).
For example, it generates a unique passwd file each time at random.
Interesting lusernames^H^H^H^H^H^H^H^Husernames too.
Here, try:
http://www.sjis.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd
http://www.sjis.com/cgi-bin/phf?Qalias=x%0a/usr/bin/id
http://www.sjis.com/cgi-bin/phf?Qalias=x%0a/bin/uname%20-a
http://www.sjis.com/cgi-bin/phf
Here it is, I move that it be incorporated into the cgi-scripts package...
It requires perl 5.0x and CGI.pm.
---chop here----
#!/usr/bin/perl
# phf buster
# They want a passwd file to crack? Let's give them one.
srand(time^$$);
# Don't ask about the goofy order. For some reason, perl outputs the
# members of the hash in a seemingly random order. Larry?
%lusers = ( bin => 'been',
daemon => 'try',
operator => 'time',
adm => 'dork',
lp => 'for',
uucp => 'year',
news => 'a',
lart => 'would',
duh => 'Why',
bill => 'you',
hillary => 'holes',
dork => 'a',
beavis => 'known',
hank => 'are',
bubba => 'over',
dale => 'that',
harvey => 'Only',
dreck => 'your',
slappy => 'have',
dweeb => 'wasting',
smack => 'time');
@shells = ('/bin/sh','/bin/csh','/usr/bin/ksh','/usr/local/bin/tcsh','/usr/local/bin/bash');
use CGI;
$query = new CGI;
$qs = $query->query_string;
if ( $qs =~ /id/i ) {
print $query->header('text/plain');
print "uid=65534(nobody) gid=65535 groups=65535\n";
print "Did you really think httpd would be running as root? Come on.\n";
} elsif ( $qs =~ /passwd/i ) {
print $query->header('text/plain');
$rootpw = &crypt_it('dork');
print "root:$rootpw:0:0:root:/:/bin/sh\n";
$uid = 5;
$gid = 100;
foreach $luser (keys %lusers) {
$home = '/home/' . $luser;
$shell = $shells[rand($#shells)];
$pw = &crypt_it($lusers{$luser});
$line = join(':', $luser, $pw, $uid, $gid, $luser, $home, $shell);
print "$line\n";
$uid++;
}
} elsif ( $qs =~ /uname/i ) {
print $query->header('text/plain');
print "Hamilton97 beaver 4.0 #1 Thu Feb 18 11:19:54 EST 1997 cray\n";
} else {
print $query->header('text/plain');
print "We don\'t run phf here. Go away.\n";
}
sub crypt_it {
local($user,$pass)=@_;
local($nslat,$week,$now,$pert1,$pert2);
local(@salt_set)=('a'..'z','A'..'Z','0'..'9','.','/');
$now=time;
($pert1,$per2) = unpack("C2",$user);
$week = $now / (60*60*24*7) + $pert1 + $pert2;
$nsalt = $salt_set[$week % 64] . $salt_set[$now %64];
return crypt($pass,$nsalt);
}
-----chop here------
Jason Costomiris | Finger for PGP 2.6.2 Public Key
jcostom@sjis.com | "There is a fine line between idiocy
My employers like me, but not | and genius. We aim to erase that line"
enough to let me speak for them. | --Unknown
http://www.jasons.org/~jcostom
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: