3

I'm working on a BASH CGI Binary that reads a string a user would type from an HTML form, then appends that string to a log file on my Linux server. I'm using BASH.cgi as seen on (http://oinkzwurgl.org/bash_cgi) to transfer all the POST/GET input user strings automatically into variables. Everything is working perfectly fine, however I found a major security flaw:

HTML Form...

        <form action="?" method="POST">
            Feedback:<textarea name="comments"></textarea>
            <input type="submit" value="Submit">
        </form>

BASH CGI...

        echo "$comments" >> ./logs/log.txt

Suppose a malicious user would submit the following into the comments text area of the form:

        $( rm -rf / )

BASH.cgi would then create a new variable called "comments" that returns the executed value of everything in between the $( and the ). This would in result compromise the server by executing anything a malicious user would please. There must be a way to directly and safely pass the string of a variable without executing what's inside. Any help would be greatly appreciated!

-- Egoscio

Improve this question
0

1 Answer 1

Reset to default
3

What you've identified is a vulnerability in Bash.CGI itself — it is failing to properly filter out $( in variables.

Do not use Bash.CGI. It is insecure. Beyond the issue you have identified, a number of other serious vulnerabilities exist in this script, some of which are listed below. I would highly recommend that you use another, more appropriate scripting language, such as Perl, Python, or PHP.

Bonus vulnerabilities:

  • Every variable present in a GET or POST query is imported into a variable, including variables that have special significance to the shell (e.g, PATH) and ones which were part of the CGI environment (e.g, REMOTE_USER, as noted in the documentation).

  • The name of a variable is not filtered at all. Variable names containing special characters may cause unexpected behavior.

  • Probably more. Again, this script is insecure. Do not use it.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks for replying so fast! I was hoping there was a possibility to safely utilize BASH to make web apps, however I never took in consideration the rest of the security problems that you have mentioned. I will try learning PHP instead. Another question, is bashlib any safer? Thanks again.
I haven't looked at bashlib; that being said, shell scripts are not a well-suited language for writing CGI scripts in general.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.