[TriLUG] I've got intruders!!

Rick DeNatale rick.denatale at gmail.com
Wed May 17 11:57:16 EDT 2006


On 5/16/06, Neil L. Little <nllittle at vnet.net> wrote:
> There were no PHP scripts running.
> The HTTP server was running WebGUI, a content management application
> based on  Perl.

Perl apps are quite susceptible to security exposures, not only the
usual things like sql injection, but also perl specific feature
exploitations.

One dangerous feature of perl is the way that filenames are overloaded
in the open() function to do IPC, in perl open("ls |") will actually
run an ls command and return a pipe handle so that you can read the
output of the command.

If a perl cgi takes something from the user, and interprets it as a
file name without first scrubbing it, a malicious user can execute
arbitrary code with the permissions of the cgi process.  This was the
basis of a pretty nasty exposure in awstats which typically got
exploited by using a url which used wget to download a zombie program
and then execute it.

A google of "webgui security" turns up a vulnerability which was
discovered a few months ago:
http://www.securityfocus.com/bid/16612

This seems to affect webgui 6.3.0-6.8.5
-- 
Rick DeNatale

IPMS/USA Region 12 Coordinator
http://ipmsr12.denhaven2.com/

Visit the Project Mercury Wiki Site
http://www.mercuryspacecraft.com/



More information about the TriLUG mailing list