[Date Prev]   [Date Next] [Thread Prev]   [Thread Next] [Date Index]   [Thread Index]

 

     Re: Potential webnocol.cgi Vulnerability

webnocol.cgi now has authentication built into it and does not require
.htaccess. It uses cookies for authentication.

Hence, an unauthenticated user should not be able to run these commands.
However, your suggestion is valid and I will add this code to the
webnocol.cgi program.

	-vikas

> Was going through the code for webnocol.cgi and I came across this near
> line 663,
> 
>    if ($cmd) {
>       $cmd =~ s/DEVICE/$siteaddr/ ;     # replace keyword with IP address
>       if (! open (CMD, "$cmd 2>&1 |") ) {
>         print "Command $cmd error  <p>\n";
> 
> This portion replaces the keyword DEVICE with the $siteaddr posted by the
> HTML form (lines 127) so a malicious user that knows a site is using
> NOCOL, and that is unrestricted by .htaccess can cause a bit of a problem
> by doing a POST with dangerous characters placed in the field 'siteaddr'.
> 
> A suggestion would be to do a
> 
> 	$siteaddr=~y/[a-zA-Z0-9_.\-]//cd;
> 
> prior to executing the diagnostic commands. 
> 
> Comments are welcomed.
> 
> rgds,
> Lim Fung
>