CGI.pm shares the param namespace with the attribute namespace

[p5pRT]

Migrated from rt.perl.org#24294 (status was 'resolved')

Searchable as RT24294$

[p5pRT]

From perl-5.8.0@ton.iguana.be

Created by perl-5.8.0@ton.iguana.be

CGI.pm uses the object hash to store the parameter name/value pairs. This means that you can use the parameters of a query to set most internal attributes.

In particular\, you can set things like "dontescape".

On at least one public website (identity withheld) running the CGI.pm coming with 5.8.0 ($CGI​::VERSION='2.81') I could do​:

http​://site.xxx.yyy/?field=qwe%22%3EX%3Cblink%3EXX%3Cx+x%3D%22&dontescape=1

where the "addr" parameter normally ends up in a input field with proper escaping\, but by adding the dontescape=1\, I can close the field and actually activate the \ tag in the page body. So this is usable for exploiting cross-site-scripting holes.

Same idea from the commandline​: perl -wle 'use CGI; $q=CGI->new; print $q->textfield($q->param("foo"))' foo="qwe%22%3EX%3Cblink%3EXX%3Cx+x%3D%22"\&dontescape=1

which outputs​:

\X\XX\

Or​:

perl -MCGI=​:standard -wle 'print escapeHTML(param("arg"));' arg=%3Cxss+here%3E\&dontescape=1

outputting​: \

Some other internal attributes look usable too.

I think it's a fundamental mistake to use the object hash itself as the place to hold parameter name/value pairs.

The most recent CGI.pm (3.00) seems to have renamed dontescape to escape and initialize it by default which fixes it for that particular variable\, but any that don't get initialized (and there seem to be several like .cgi_error\, separator\, final_separator\, .header_printed\, .r\, .path_info\, cache\, .parametersToAdd\, .cookies\, .raw_cookies\, .tmpfiles) are still vulnerable to this. Some of them still seem interesting to control output and several are trivially useable to cause the CGI to error (DOS). Even if you initialize them all\, it's still very easy to forget this on any changes. It also makes some actual fieldnames unusable.

Here's a "crash the CGI" example​: perl -MCGI=​:standard -e 'cookie()' .cookies=1

Perl Info

``` Flags: category=core severity=medium Site configuration information for perl v5.8.0: Configured by ton at Tue Nov 12 01:56:18 CET 2002. Summary of my perl5 (revision 5.0 version 8 subversion 0) configuration: Platform: osname=linux, osvers=2.4.19, archname=i686-linux-thread-multi-64int-ld uname='linux quasar 2.4.19 #5 wed oct 2 02:34:25 cest 2002 i686 unknown ' config_args='' hint=recommended, useposix=true, d_sigaction=define usethreads=define use5005threads=undef useithreads=define usemultiplicity=define useperlio=define d_sfio=undef uselargefiles=define usesocks=undef use64bitint=define use64bitall=undef uselongdouble=define usemymalloc=y, bincompat5005=undef Compiler: cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64', optimize='-O2 -fomit-frame-pointer', cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -I/usr/local/include' ccversion='', gccversion='2.95.3 20010315 (release)', gccosandvers='' intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12 ivtype='long long', ivsize=8, nvtype='long double', nvsize=12, Off_t='off_t', lseeksize=8 alignbytes=4, prototype=define Linker and Libraries: ld='cc', ldflags =' -L/usr/local/lib' libpth=/usr/local/lib /lib /usr/lib libs=-lnsl -lndbm -ldb -ldl -lm -lpthread -lc -lposix -lcrypt -lutil perllibs=-lnsl -ldl -lm -lpthread -lc -lposix -lcrypt -lutil libc=/lib/libc-2.2.4.so, so=so, useshrplib=false, libperl=libperl.a gnulibc_version='2.2.4' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic' cccdlflags='-fpic', lddlflags='-shared -L/usr/local/lib' Locally applied patches: @INC for perl v5.8.0: /usr/lib/perl5/5.8.0/i686-linux-thread-multi-64int-ld /usr/lib/perl5/5.8.0 /usr/lib/perl5/site_perl/5.8.0/i686-linux-thread-multi-64int-ld /usr/lib/perl5/site_perl/5.8.0 /usr/lib/perl5/site_perl . Environment for perl v5.8.0: HOME=/home/ton LANG (unset) LANGUAGE (unset) LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/home/ton/bin.Linux:/home/ton/bin:/home/ton/bin.SampleSetup:/usr/local/bin:/usr/local/sbin:/usr/local/jre/bin:/home/oracle/product/9.0.1/bin:/usr/local/ar/bin:/usr/games/bin:/usr/X11R6/bin:/usr/share/bin:/usr/bin:/usr/sbin:/bin:/sbin:. PERL_BADLANG (unset) SHELL=/bin/bash ```

[p5pRT]

From lstein@cshl.edu

Fixed in 3.38. Sorry for the delay.

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From p5p@spam.wizbit.be

This is resolved in version 3.38 of CGI.pm.

[p5pRT]

p5p@spam.wizbit.be - Status changed from 'open' to 'resolved'