Hi, As I was surfing through some older Securityfocus archives I stumbled across the article about Penguin traceroute v1.0 http://online.securityfocus.com/archive/1/263285 This article described some metacharacter bugs in this CGI script, also it included a suggested fix. <quote> Fix === Open up the perl script in your favorite text editor, find a line that has "$host = $q->param('host');" Its usually the 13th line down then just add this line "$host =~ s/[;<>\*\|'&\$!?#\(\)\[\]\{\}:'"\\]//g;" under it and that should parse out any unwanted characters. </quote> Well, yes, it does parse out some metacharacters, but, the " ` " (backtick) is not filtered out in any way. (probably one of the two quotes " ' " should be a backtick). Also the slash and the hyphen are not filtered. Example: entering `cat /etc/passwd` gives us: Taceroute to `cat /etc/passwd` traceroute: unknown host root:*:0:0:Charlie This is only the first line because only that one gets interpreted by traceroute. But there are ways around this to retreive the full file with some patience: Taceroute to `wc -l /etc/passwd` traceroute to 18 (0.0.0.18), 64 hops max, 40 byte packets So we see that in this case the passwd file is 18 lines big. we could retreive the rest by doing tail -n 18 /etc/passwd , tail -n 17 etc.. etc.. The author and the the first person that found a bug in this script (Paul Jenkins) have been notified. Second fix: replace the second quote by a backtick and add slash and hyphen to the filter :) Cheers, Marco van Berkum -- | Marco van Berkum / MB17300-RIPE | | m.v.berkum@obit.nl / http://ws.obit.nl |
