AW: CGI Perl Question

From: Stefan Osterlitz (osterlitz@blox.de)
Date: 07/24/01

• Previous message: Tom Geldner: "RE: Win32.Sircam.Worm Alert....."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Stefan Osterlitz" <osterlitz@blox.de>
To: "'Leonard Leblanc'" <lleblanc@emergeknowledge.com>, <security-basics@securityfocus.com>
Subject: AW: CGI Perl Question
Date: Tue, 24 Jul 2001 18:36:08 +0200
Message-ID: <C5FEADB4FB3EE543959CE43DEE2ABE4E35C6@trendserver.blox.blox.ag>

-----Ursprüngliche Nachricht-----
Von: Leonard Leblanc [mailto:lleblanc@emergeknowledge.com]
Gesendet: Dienstag, 24. Juli 2001 04:31
An: security-basics@securityfocus.com
Betreff: CGI Perl Question

Hello Everyone,

We are currently developing a new website with perl that consists of using
the HTML::Template module. In the beginning of this script there are
multiple constants defined which point to the template files using the
$ENV{DOCUMENT_ROOT} environment variable.

Does this present any more/less of a security risk then just hardcoding the
entire path into the script?

The environment is set up by the server prior to serving the request back to
the client.
Setting it will not affect the following requests. Any CGI can modify the
environment.
Perl should not be able to violate your filesystem permissions.

Judge yourself whether this is true ... ;-)

If/when you run your web server chrooted, this alone will not make your
server exloitable.
You can not open files which are unavailable to the web server this way.

What you might do is opening files from another virtual server hosted by the
same server process.
If you use mod_perl, i guess you will (almost surely) have a problem there.
This however requires that someone can modify your CGIs or you set the
environment based on user input,
or , even worse, execute user input!

-> These problems will occur only if anyone can modify the environment from
within the script.

If you can exploit HMTL::Template in way of SSI includes, Bad Things might
happen.
This requires that HTML::Template tags are mapped to subroutines, using
"magic" names:
Review o'Reillys "Writing Apache Modules in Perl And C" for the Apache::ESSI
example.
The method shown there is not _really_ secure, if you don't use qualified
subroutine names.

I may be worng.

Stefan Osterlitz

---

• Previous message: Tom Geldner: "RE: Win32.Sircam.Worm Alert....."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)