develooper Front page | perl.perl5.porters | Postings from October 2003

[perl #24294] CGI.pm shares the param namespace with the attribute namespace

From:
perlbug-followup
Date:
October 25, 2003 12:40
Subject:
[perl #24294] CGI.pm shares the param namespace with the attribute namespace
Message ID:
rt-24294-66488.14.9801742568123@rt.perl.org
# New Ticket Created by  perl-5.8.0@ton.iguana.be 
# Please include the string:  [perl #24294]
# in the subject line of all future correspondence about this issue. 
# <URL: http://rt.perl.org/rt2/Ticket/Display.html?id=24294 >



This is a bug report for perl from perl-5.8.0@ton.iguana.be,
generated with the help of perlbug 1.34 running under perl v5.8.0.


-----------------------------------------------------------------
[Please enter your report here]

CGI.pm uses the object hash to store the parameter name/value pairs.
This means that you can use the parameters of a query to set
most internal attributes.

In particular, you can set things like "dontescape".

On at least one public website (identity withheld) running the CGI.pm
coming with 5.8.0 ($CGI::VERSION='2.81') I could do:

http://site.xxx.yyy/?field=qwe%22%3EX%3Cblink%3EXX%3Cx+x%3D%22&dontescape=1

where the "addr" parameter normally ends up in a input field with proper
escaping, but by adding the dontescape=1, I can close the field and
actually activate the <BLINK> tag in the page body. So this is usable
for exploiting cross-site-scripting holes.

Same idea from the commandline:
perl -wle 'use CGI; $q=CGI->new; print $q->textfield($q->param("foo"))' foo="qwe%22%3EX%3Cblink%3EXX%3Cx+x%3D%22"\&dontescape=1

which outputs:

<input type="text" name="qwe">X<blink>XX<x x=""  />

Or:

perl -MCGI=:standard -wle 'print escapeHTML(param("arg"));' arg=%3Cxss+here%3E\&dontescape=1

outputting:
<xss here>

Some other internal attributes look usable too.

I think it's a fundamental mistake to use the object hash itself as the
place to hold parameter name/value pairs. 

The most recent CGI.pm (3.00) seems to have renamed dontescape to escape 
and initialize it by default which fixes it for that particular
variable, but any that don't get initialized (and there seem to be 
several like .cgi_error, separator, final_separator, .header_printed, 
.r, .path_info, cache, .parametersToAdd, .cookies, .raw_cookies, .tmpfiles) 
are still vulnerable to this. Some of them still seem interesting to
control output and several are trivially useable to cause the CGI to 
error (DOS). Even if you initialize them all, it's still very easy to 
forget this on any changes. It also makes some actual fieldnames unusable.

Here's a "crash the CGI" example:
perl -MCGI=:standard -e 'cookie()' .cookies=1

[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags:
    category=core
    severity=medium
---
Site configuration information for perl v5.8.0:

Configured by ton at Tue Nov 12 01:56:18 CET 2002.

Summary of my perl5 (revision 5.0 version 8 subversion 0) configuration:
  Platform:
    osname=linux, osvers=2.4.19, archname=i686-linux-thread-multi-64int-ld
    uname='linux quasar 2.4.19 #5 wed oct 2 02:34:25 cest 2002 i686 unknown '
    config_args=''
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=define use5005threads=undef useithreads=define usemultiplicity=define
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=define use64bitall=undef uselongdouble=define
    usemymalloc=y, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O2 -fomit-frame-pointer',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -I/usr/local/include'
    ccversion='', gccversion='2.95.3 20010315 (release)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long long', ivsize=8, nvtype='long double', nvsize=12, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lnsl -lndbm -ldb -ldl -lm -lpthread -lc -lposix -lcrypt -lutil
    perllibs=-lnsl -ldl -lm -lpthread -lc -lposix -lcrypt -lutil
    libc=/lib/libc-2.2.4.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.2.4'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic'
    cccdlflags='-fpic', lddlflags='-shared -L/usr/local/lib'

Locally applied patches:


---
@INC for perl v5.8.0:
    /usr/lib/perl5/5.8.0/i686-linux-thread-multi-64int-ld
    /usr/lib/perl5/5.8.0
    /usr/lib/perl5/site_perl/5.8.0/i686-linux-thread-multi-64int-ld
    /usr/lib/perl5/site_perl/5.8.0
    /usr/lib/perl5/site_perl
    .

---
Environment for perl v5.8.0:
    HOME=/home/ton
    LANG (unset)
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/ton/bin.Linux:/home/ton/bin:/home/ton/bin.SampleSetup:/usr/local/bin:/usr/local/sbin:/usr/local/jre/bin:/home/oracle/product/9.0.1/bin:/usr/local/ar/bin:/usr/games/bin:/usr/X11R6/bin:/usr/share/bin:/usr/bin:/usr/sbin:/bin:/sbin:.
    PERL_BADLANG (unset)
    SHELL=/bin/bash




nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About