|
|
Weakness in Perl CGI causes memory dump ??
08-25-2003
total 2004
drwxr-xr-x 2 root root 4096 Aug 25 05:26 .
drwxrwxrwx 8 root root 4096 Aug 24 14:53 ..
-rw-r--r-- 1 root root 14612 Jul 15 14:22 46lijh*&()*%&(..jpg
-rw-r--r-- 1 root root 17289 Jul 15 12:50 @@@@ax2.jpg
-rwxrwxrwx 1 apache apache 40721 Jul 6 11:30 `echo "hacked"`.jpg
-rw-r--r-- 1 root root 70168 Jul 15 12:42 %^^^^^fty^^^%.jpg
-rw-r--r-- 1 root root 27774 Jul 15 12:50 gm######ax3.jpg
-rw-r--r-- 1 root root 14813 Jul 15 12:40 gren%45%647%12%20%39%94ade2.jpg
-rw-r--r-- 1 root root 27397 Jul 15 14:23 hkacr1.gif
-rwxrwxrwx 1 apache apache 130520 Jul 6 11:30 i%90rm -r -f../../*.jpeg
-rw-r--r-- 1 root root 26386 Jul 15 14:23 ioio{{[[}}]].jpg
-rwxrwxrwx 1 apache apache 72068 Jul 6 11:30 ```````````````````````.jpg
-rw-r--r-- 1 root root 27728 Jul 15 12:48 ~~~~~.jpg
-rw-r--r-- 1 root root 25079 Jul 15 14:28 ======.jpg
-rw-r--r-- 1 root root 14372 Jul 15 14:18 >>><<<.jpg
-rw-r--r-- 1 root root 12887 Jul 15 14:29 |||||.jpg
-rw-r--r-- 1 root root 52689 Jul 15 12:40 ;cat /etc/passwd .jpg
-rwxrwxrwx 1 apache apache 28602 Jul 6 11:30 ,,,,,,.jpg
-rwxrwxrwx 1 apache apache 36075 Jul 6 11:30 :::::.jpg
-rw-r--r-- 1 root root 12491 Jul 15 14:28 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.jpg
-rw-r--r-- 1 root root 23729 Jul 15 12:51 ?????.jpg
-rw-r--r-- 1 root root 29784 Jul 15 14:19 .jpg
-rw-r--r-- 1 root root 18780 Jul 15 14:28 ....jpg
-rw-r--r-- 1 root root 13547 Jul 15 14:27 '''''''''''''''.jpg
-rw-r--r-- 1 root root 33670 Jul 15 14:23 """""".jpg
-rw-r--r-- 1 root root 44942 Jul 15 12:41 (((((.jpg
-rw-r--r-- 1 root root 13274 Jul 15 12:43 *.jpg
-rw-r--r-- 1 root root 34681 Jul 15 14:19 \';|":\';|";\';|":\';|":.jpg
-rw-r--r-- 1 root root 13085 Jul 15 14:26 \\\\.jpg
-rw-r--r-- 1 root root 19159 Jul 15 12:37 &********.jpg
-rwxrwxrwx 1 apache apache 77473 Jul 6 11:30 jpg.jpg
-rw-r--r-- 1 root root 0 Aug 25 05:26 list
-rw-r--r-- 1 root root 38004 Jul 15 14:22 }|:"|{LP{LP][;\;']\].jpg-rw-r--r-- 1 root root 34990 Jul 15 12:51 m18good.jpg
-rw-r--r-- 1 root root 21207 Jul 15 12:48 m43stk.jpg
-rw-r--r-- 1 root root 10120 Jul 15 12:50 muchtoolongyesitisfartoolongfortheservermuchmuchmcuhtoolong.jpg
-rw-r--r-- 1 root root 20877 Jul 15 12:37 +++++sdffs.jpg
-rw-r--r-- 1 root root 12924 Jul 15 14:28 >>>>foo.jpg
-rw-r--r-- 1 root root 691361 Jul 15 12:52 <<<<foo.jpg
-rw-r--r-- 1 root root 17910 Jul 15 12:47 s p a c e y
.jpg
-rwxrwxrwx 1 apache apache 29531 Jul 6 11:30 testgood.jpg
-rw-r--r-- 1 root root 17919 Jul 15 14:25 &&&tfyj.jpg
-rwxrwxrwx 1 apache apache 62764 Jul 6 11:30 UYGUGUGYUGIGIGYGUBJHBJGJGJKGJHJHGJHGJGJHGJHGJHJKHGJYTYTUIYTUT&YTUTUTUYTU*^&*%*%)**&^*^)*%&^_)*_)*)(*)(.jpg
sub upload
{
if ($uploadpicname eq '') # check if empty
{
errorgivename();
printhtmlfooter();
exit 1;
}
print "$uploadpicname";
$uploadpicname =~ s/.*[\/\\](.*)/$1/; # remove any path info
$uploadpicname =~ s/[';|`{}:%^*&()\"]//g; # kill naughty characters
if ($uploadpicname eq '')
{
errorgivename(); # check if all chars were killed
printhtmlfooter();
exit 1;
}
$namelength = length($uploadpicname)-4; # get length of the filename
$namebody = unpack("A$namelength", $uploadpicname); # separate name
$extension = unpack("x$namelength A4", $uploadpicname); # separate extension
if ($extension ne $validextension)
{
erroruploadnotjpg();
}
($newname = $namebody) =~ s/[^a-zA-Z0-9]//g; # remove funny characters in name body
$newname =~ s/[^\w]//g;
$newname = substr($newname, 0, $maxnamelength); # truncate to sensible length
unless ($newname) # if theres still nothing left
{ # then make up a random name
$newname = randstring(9);
}
$newname = $newname.$extension; # stick the extension back on
$writeto = "$relativeroot$uploaddir/$newname";
if ( -e "$writeto") # check name not already used
{
errorfileexists();
}
else
{
if ($uploadpasswd eq $groupadminpasswd) # is user allowed to upload?
{
....... upload file etc|
|