Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CGI.pm shares the param namespace with the attribute namespace #6867

Closed
p5pRT opened this issue Oct 25, 2003 · 5 comments
Closed

CGI.pm shares the param namespace with the attribute namespace #6867

p5pRT opened this issue Oct 25, 2003 · 5 comments
Labels
distro-Linux type-core

Comments

@p5pRT
Copy link

p5pRT commented Oct 25, 2003

Migrated from rt.perl.org#24294 (status was 'resolved')

Searchable as RT24294$
@p5pRT
Copy link
Author

p5pRT commented Oct 25, 2003

From perl-5.8.0@ton.iguana.be

Created by perl-5.8.0@ton.iguana.be

CGI.pm uses the object hash to store the parameter name/value pairs.
This means that you can use the parameters of a query to set
most internal attributes.

In particular, you can set things like "dontescape".

On at least one public website (identity withheld) running the CGI.pm
coming with 5.8.0 ($CGI​::VERSION='2.81') I could do​:

http​://site.xxx.yyy/?field=qwe%22%3EX%3Cblink%3EXX%3Cx+x%3D%22&dontescape=1

where the "addr" parameter normally ends up in a input field with proper
escaping, but by adding the dontescape=1, I can close the field and
actually activate the <BLINK> tag in the page body. So this is usable
for exploiting cross-site-scripting holes.

Same idea from the commandline​:
perl -wle 'use CGI; $q=CGI->new; print $q->textfield($q->param("foo"))' foo="qwe%22%3EX%3Cblink%3EXX%3Cx+x%3D%22"\&dontescape=1

which outputs​:

<input type="text" name="qwe">X<blink>XX<x x="" />

Or​:

perl -MCGI=​:standard -wle 'print escapeHTML(param("arg"));' arg=%3Cxss+here%3E\&dontescape=1

outputting​:
<xss here>

Some other internal attributes look usable too.

I think it's a fundamental mistake to use the object hash itself as the
place to hold parameter name/value pairs.

The most recent CGI.pm (3.00) seems to have renamed dontescape to escape
and initialize it by default which fixes it for that particular
variable, but any that don't get initialized (and there seem to be
several like .cgi_error, separator, final_separator, .header_printed,
.r, .path_info, cache, .parametersToAdd, .cookies, .raw_cookies, .tmpfiles)
are still vulnerable to this. Some of them still seem interesting to
control output and several are trivially useable to cause the CGI to
error (DOS). Even if you initialize them all, it's still very easy to
forget this on any changes. It also makes some actual fieldnames unusable.

Here's a "crash the CGI" example​:
perl -MCGI=​:standard -e 'cookie()' .cookies=1

Perl Info 

Flags:
    category=core
    severity=medium

Site configuration information for perl v5.8.0:

Configured by ton at Tue Nov 12 01:56:18 CET 2002.

Summary of my perl5 (revision 5.0 version 8 subversion 0) configuration:
  Platform:
    osname=linux, osvers=2.4.19, archname=i686-linux-thread-multi-64int-ld
    uname='linux quasar 2.4.19 #5 wed oct 2 02:34:25 cest 2002 i686 unknown '
    config_args=''
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=define use5005threads=undef useithreads=define usemultiplicity=define
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=define use64bitall=undef uselongdouble=define
    usemymalloc=y, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2 -fomit-frame-pointer',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -I/usr/local/include'
    ccversion='', gccversion='2.95.3 20010315 (release)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long long', ivsize=8, nvtype='long double', nvsize=12, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lnsl -lndbm -ldb -ldl -lm -lpthread -lc -lposix -lcrypt -lutil
    perllibs=-lnsl -ldl -lm -lpthread -lc -lposix -lcrypt -lutil
    libc=/lib/libc-2.2.4.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.2.4'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic'
    cccdlflags='-fpic', lddlflags='-shared -L/usr/local/lib'

Locally applied patches:



@INC for perl v5.8.0:
    /usr/lib/perl5/5.8.0/i686-linux-thread-multi-64int-ld
    /usr/lib/perl5/5.8.0
    /usr/lib/perl5/site_perl/5.8.0/i686-linux-thread-multi-64int-ld
    /usr/lib/perl5/site_perl/5.8.0
    /usr/lib/perl5/site_perl
    .


Environment for perl v5.8.0:
    HOME=/home/ton
    LANG (unset)
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/ton/bin.Linux:/home/ton/bin:/home/ton/bin.SampleSetup:/usr/local/bin:/usr/local/sbin:/usr/local/jre/bin:/home/oracle/product/9.0.1/bin:/usr/local/ar/bin:/usr/games/bin:/usr/X11R6/bin:/usr/share/bin:/usr/bin:/usr/sbin:/bin:/sbin:.
    PERL_BADLANG (unset)
    SHELL=/bin/bash

@p5pRT
Copy link
Author

p5pRT commented Jun 25, 2008

From lstein@cshl.edu

Fixed in 3.38. Sorry for the delay.

@p5pRT
Copy link
Author

p5pRT commented Jun 25, 2008

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Jun 25, 2008

From p5p@spam.wizbit.be

This is resolved in version 3.38 of CGI.pm.

@p5pRT
Copy link
Author

p5pRT commented Jun 25, 2008

p5p@spam.wizbit.be - Status changed from 'open' to 'resolved'

@p5pRT p5pRT closed this as completed Jun 25, 2008
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
distro-Linux type-core
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@p5pRT