This national supplier has so many bugs in their website, that I keep asking myself, why? why don't you get out of the hole and start listening when white hackers warn you? Are you waiting for a harmful attack?
Or, better yet, use a damn open-source CMS with security updates and reviewed code by hundreds of developers. Yes, it can also fail, but the probability is very low.
So I was minding my own business, and looking for some driver and manual for my electronic scale and bumped in something strange... a Perl script to download the files, that's cute, but is it secure?
No.
"Directory traversal attack". Mr. Sérgio, this is what you should read about.
I've sent an e-mail on 22, November, 2013 and until today, at the time of writing I haven't got a response, and worse than that, the script is still insecure.
As a proof of concept, here goes your own script Mr. Sérgio:
#!/usr/bin/perl
use CGI;
$q = new CGI;
$fileid=$q->param("file");
@var = split(/\//,$fileid);
$filename = pop(@var);
$filename =~ s/\'//g;
print "Content-disposition: attachment; filename=$filename \n";
print "Content-type: application/pdf \n\n";
$filepath=$fileid;;
binmode STDOUT;
open(A,"$filepath") or print "can't open file located at $filepath";
binmode A;
while(read A,$buf,1024)
{
print STDOUT $buf;
}
close(A);
I'm not much a Perl guy, but it doesn't take to much to see what's wrong here.
What I don't really understand, is that 6 months later, after giving you a warning you haven't done anything.
And yes, I've got the right e-mail, a colleague of yours gave it to me.
Don't worry, I won't spread your company's URL or do anything that might damage your website, but please, fix that before someone with bad intentions messes with your work.
No comments:
Post a Comment