Saturday, May 17, 2014

Perl script fail

I really don't understand why people keep trying to reinvent the wheel, especially when it comes to web development.
This national supplier has so many bugs in their website, that I keep asking myself, why? why don't you get out of the hole and start listening when white hackers warn you? Are you waiting for a harmful attack?
Or, better yet, use a damn open-source CMS with security updates and reviewed code by hundreds of developers. Yes, it can also fail, but the probability is very low.
So I was minding my own business, and looking for some driver and manual for my electronic scale and bumped in something strange... a Perl script to download the files, that's cute, but is it secure?
No.
"Directory traversal attack". Mr. Sérgio, this is what you should read about.
I've sent an e-mail on 22, November, 2013 and until today, at the time of writing I haven't got a response, and worse than that, the script is still insecure.
As a proof of concept, here goes your own script Mr. Sérgio:
 #!/usr/bin/perl  
 use CGI;  
 $q = new CGI;  
 $fileid=$q->param("file");  
 @var = split(/\//,$fileid);  
 $filename = pop(@var);  
 $filename =~ s/\'//g;  
 print "Content-disposition: attachment; filename=$filename \n";  
 print "Content-type: application/pdf \n\n";  
 $filepath=$fileid;;  
 binmode STDOUT;  
 open(A,"$filepath") or print "can't open file located at $filepath";  
 binmode A;  
 while(read A,$buf,1024)  
 {  
    print STDOUT $buf;  
 }  
 close(A);  

I'm not much a Perl guy, but it doesn't take to much to see what's wrong here.
What I don't really understand, is that 6 months later, after giving you a warning you haven't done anything.
And yes, I've got the right e-mail, a colleague of yours gave it to me.
Don't worry, I won't spread your company's URL or do anything that might damage your website, but please, fix that before someone with bad intentions messes with your work.

No comments:

Post a Comment