Closed
Bug 321234
Opened 19 years ago
Closed 18 years ago
graph.cgi code execution
Categories
(Webtools Graveyard :: Tinderbox, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: guninski, Assigned: morgamic)
References
Details
Attachments
(1 file, 2 obsolete files)
|
8.23 KB,
patch
|
Details | Diff | Splinter Review |
it is possible to (ab)use webtools/graph/graph.cgi for code execution on the web server with the kind help of gnuplot(1). #man gnuplot ... Shell escapes and command line substitution. ... tested only locally: Shell escapes and command line substitution. http://localhost/cgi-bin/graph.cgi?testname=test1&tbox=tbox&units=%60touch%20/tmp/fuub1l2%60 |testname| and |tbox| should be valid values, easily obtained via mouse clicking. the command in |units| enclosed in backticks (`) gets executed for me.
|
||
Updated•19 years ago
|
Group: webtools-security
|
||
Comment 2•19 years ago
|
||
This is hosted at http://build-graphs.mozilla.org/graph.cgi on axolotl, which I've now disabled (chmod 000).
|
|
||
Comment 3•19 years ago
|
||
After poking around a bit, this appears to be most-closely related to Tinderbox, so that's probably the best place to put this bug.
Assignee: server-ops → mcafee
Component: Server Operations → Tinderbox
Product: mozilla.org → Webtools
QA Contact: justin → timeless
|
|
||
Comment 4•19 years ago
|
||
timeless is apparently working on fixing this. He says there's much scarier things in the code than just the issue Georgi found. Per timeless' request, I dropped an .htaccess file into the directory which limits access to collect.cgi (the submission engine that the tinderboxes submit to via http when they complete a build) to the known tinderboxes which have been hitting it over the last month (which amounts to our internal build farms and one outside host [Brad's]).
|
Reporter | |
Comment 5•19 years ago
|
||
(In reply to comment #4) > timeless is apparently working on fixing this. He says there's much scarier much scarier than code execution - you have suid scripts on production? > Per timeless' request, I > dropped an .htaccess file into the directory which limits access to collect.cgi collect.cgi seems to allow creation of files on the web server via open() with non validated input.
|
|
Reporter | |
Comment 6•19 years ago
|
||
http://build-graphs.mozilla.org/graph/rawdata.cgi is still online. check bug 321469
|
|
||
Comment 8•19 years ago
|
||
Comment on attachment 206844 [details] [diff] [review] first draft at requiring sane input graph.cgi doesn't work if you don't pass it any params. The tests here don't allow for the params to be blank (which is legal since it gives you a menu to pick from if you leave them out).
Attachment #206844 -
Flags: review?(justdave) → review-
|
Assignee | |
Comment 9•19 years ago
|
||
collect.cgi's patch has syntax errors (missing ;), and was also too restrictive for $data and $value. Certain build systems would fail to update their respective files in graphs/db/. Since collect.cgi is protected, it should be okay to leave it relatively open. The alternative would be to check all Tinderbox configurations and make sure the regexp is not excluding any system.
Attachment #206844 -
Attachment is obsolete: true
Attachment #209785 -
Flags: review?(justdave)
|
|
Assignee | |
Updated•19 years ago
|
Attachment #209785 -
Flags: review?(justdave)
Attachment #209785 -
Flags: review?(dveditz)
Attachment #209785 -
Flags: review?(chase)
|
||
Updated•19 years ago
|
Summary: graph.cgi code exection → graph.cgi code execution
|
||
Comment 10•19 years ago
|
||
Comment on attachment 209785 [details] [diff] [review] New patch without syntax errors. It also leaves GET pruning out of collect.cgi. Patch looks good. Since your heads in this space right now, it would be valuable for you to specify examples or a description of the patterns you're looking for with the regular expressions as comments in the code.
Attachment #209785 -
Flags: review?(chase) → review+
|
|
Assignee | |
Updated•19 years ago
|
Attachment #209785 -
Flags: review?(dbaron)
|
|
Assignee | |
Comment 11•19 years ago
|
||
Wanted to note that the patch was a mix of timeless's patch w/ the ;'s plus some additional redundant checking of the inputs.
|
|
||
Comment 12•19 years ago
|
||
Comment on attachment 209785 [details] [diff] [review] New patch without syntax errors. It also leaves GET pruning out of collect.cgi. r=dveditz I'm not so sure thinking collect.cgi is "proteected" is a good reason to skip sanitizing its arguments, that's relying too much on every tinderbox being secure. But let's get this much in and running. dbaron is at a conference, pick someone else if you need 3 reviews.
Attachment #209785 -
Flags: review?(dveditz) → review+
|
|
Assignee | |
Updated•19 years ago
|
Attachment #209785 -
Flags: review?(dbaron)
|
|
||
Comment 13•19 years ago
|
||
Comment on attachment 209785 [details] [diff] [review] New patch without syntax errors. It also leaves GET pruning out of collect.cgi. A third review may be sought sooner than when dbaron gets back, but it would still be useful to have his review on this patch.
Attachment #209785 -
Flags: review?(dbaron)
Comment on attachment 209785 [details] [diff] [review] New patch without syntax errors. It also leaves GET pruning out of collect.cgi. I've never seen this code, but r=dbaron. A few comments, though: According to "man perlre", \w is 'alphanumeric plus "_"', so there shouldn't be any need to use \d or _ along with it. Does "." need to be escaped inside character classes in perl? +$TBOX = '' unless $TBOX =~ m/^(?:[-_\.\w\d]+)$/; why not just use m/^[-_\.\w\d]+$/ ? (occurs twice, I think) I think the regexp for SHOWPOINT should use \d+ rather than \d* and should have no ? after the ,.
Attachment #209785 -
Flags: review?(dbaron) → review+
|
||
Comment 15•18 years ago
|
||
. doesn't need to be escape in perl character classes. the (?:) stuff was from me building alternates and repeats, and is indeed unnecessary in this case. http://build-graphs.mozilla.org/graph/graph.cgi?tbox=comet.mozilla.org&testname=xulwinopen&autoscale=1&size=&days=7&units=<ype=&points=&showpoint=2006:06:03:18:25:46&avg=1 happens to work today, but if you want to tighten the restriction, we can do it as you described.
|
||
Comment 16•18 years ago
|
||
It seems nobody ever checked this in, so I'm doing that. I addressed several of dbaron's nits, but since this service is being replaced by vlad's new graph server, I didn't spend that much time on it.
Attachment #209785 -
Attachment is obsolete: true
|
|
||
Comment 17•18 years ago
|
||
Checking in collect.cgi; /cvsroot/mozilla/webtools/graph/collect.cgi,v <-- collect.cgi new revision: 1.7; previous revision: 1.6 done Checking in compare-graphs.cgi; /cvsroot/mozilla/webtools/graph/compare-graphs.cgi,v <-- compare-graphs.cgi new revision: 1.2; previous revision: 1.1 done Checking in graph.cgi; /cvsroot/mozilla/webtools/graph/graph.cgi,v <-- graph.cgi new revision: 1.20; previous revision: 1.19 done Checking in multiquery.cgi; /cvsroot/mozilla/webtools/graph/multiquery.cgi,v <-- multiquery.cgi new revision: 1.15; previous revision: 1.14 done Checking in query.cgi; /cvsroot/mozilla/webtools/graph/query.cgi,v <-- query.cgi new revision: 1.41; previous revision: 1.40 done Checking in rawdata.cgi; /cvsroot/mozilla/webtools/graph/rawdata.cgi,v <-- rawdata.cgi new revision: 1.6; previous revision: 1.5 done
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
|
||
Updated•18 years ago
|
Group: webtools-security
|
||
Updated•10 years ago
|
Product: Webtools → Webtools Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•