Re: Serverside script injection?

Hi,

On Fri, Jan 10, 2003 at 09:05:31AM -0000, joh ket wrote:
>
> I have a question regarding serverside script injection. Does it exist -
> is it possible?

Depending on how you'd define "serverside script injection" the answer would usually be "yes". :-)

> In the past there were some vulnerabilities in serverside scripts. It was
> possible to execute OS-commands through URL/userinput manipulation,
> I assume this happened mostly with CGI and perl scripts. Was this just
> based on the way the variables (userinput) was used in OS commands,
> and if the 'user data' was able to break out the intended command?

That was (is?) a quite common problem, but probably not the only one.

> I think it depends on the applicationserver software if 'serverside script
> injection' is possible or not (assuming the programmer/coder does not want
> any security).

No! The programmer of a web application *must* be aware of the security implications of his programs. Otherwise I think it is possible in *any* application server (that allows turing-complete programming) to write a program that can be exploited. It is true that some application servers make this easier than others.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> Is it (theoretically) possible on ASP servers to inject 'malicious' code
> into the webpage, so that it is processed on the serverside?
> Is it possible on PHP or Coldfusion?

I remember a posting (probably on bugtraq) a couple of days ago, where some user data was being written to a file, and the username was used as the filename. So if your username was "someone.php" and you requested that file via HTTP the server would parse it as a PHP page - executing any commands you had embedded in your "user data". That kind of thing would work on an ASP or JSP server as well.

Bye,

        Peter

-- 
Peter Conrad                        Tel: +49 6102 / 80 99 072
[ t]ivano Software GmbH             Fax: +49 6102 / 80 99 071
Bahnhofstr. 18
63263 Neu-Isenburg

Germany