Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
For any nonsense or banter that doesn't fit anywhere else. LoL! omg! ROFL! 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Security through bad code
Posted by: tx
Date: August 14, 2008 08:34PM

So I was asked to review a php image resizing script for a client before they used it on their site, to let them know if I foresaw any problems using the script. I popped it open and quickly scanned over. Besides the fact that it is really quite poorly written, I came across what at a quick glance looked to be a possibility for Remote Command Execution. Here's the snippet:
	// try to determine mime type by using unix file command
	// this should not be executed on windows
    if( !valid_src_mime_type( $mime_type ) && !(eregi('windows', php_uname()))) {
		if( preg_match( "/freebsd|linux/", $os ) ) {
                	$mime_type = trim ( @shell_exec( 'file -bi $file' ) );
		}
	}
that's right the $file variable is passed directly into a shell command... except it isn't; brilliantly the programmer decided to use single quotes around the string, not only ensuring that $mime_type is set to the usage instructions for the find command but also "fixing" the vulnerability.

Score 1 for bad coding! :)

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: Security through bad code
Posted by: Gareth Heyes
Date: August 15, 2008 03:09AM

Haha now that's good input filtering, a bit too good.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]

Options: ReplyQuote
Re: Security through bad code
Posted by: kuza55
Date: August 15, 2008 09:51PM

tx Wrote:
-------------------------------------------------------
> So I was asked to review a php image resizing
> script for a client before they used it on their
> site, to let them know if I foresaw any problems
> using the script. I popped it open and quickly
> scanned over. Besides the fact that it is really
> quite poorly written, I came across what at a
> quick glance looked to be a possibility for Remote
> Command Execution. Here's the snippet:
>
> // try to determine mime type by using unix file
> command
> // this should not be executed on windows
> if( !valid_src_mime_type( $mime_type ) &&
> !(eregi('windows', php_uname()))) {
> if( preg_match( "/freebsd|linux/", $os ) ) {
> $mime_type = trim ( @shell_exec(
> 'file -bi $file' ) );
> }
> }
>
>
> that's right the $file variable is passed directly
> into a shell command... except it isn't;
> brilliantly the programmer decided to use single
> quotes around the string, not only ensuring that
> $mime_type is set to the usage instructions for
> the find command but also "fixing" the
> vulnerability.
>
> Score 1 for bad coding! :)


This is the part where you submit a patch to fix the fact that the code doesn't work and wait for the next release before 0wning whoever uses it :p

----------------------------------------------------------
Don't forget our IRC: irc://irc.irchighway.net/#slackers
[kuza55.blogspot.com]

Options: ReplyQuote


Sorry, only registered users may post in this forum.