In association with heise online

Shell theft

Things get interesting when an application apparently passes parameters to the shell or other powerful server service. You can find indications of when filenames are passed as parameters, for instance:

convert_me.php?f=doc.txt

Parameter f is principally vulnerable to shell command injection and directory traversals, such as f=/etc/passwd. If the script checks the ending of the file, f=/etc/passwd%00.txt may help if the web server correctly converts the zero byte and the programming language then passes on a C string ending in zero to the operating system. A number of content management systems, such as PHP Nuke, only check some of these parameters correctly. PHP Nuke may not be able to catch foreign Include files in the modpath parameter or net shares on Windows. Some applications pass on e-mail address parameters directly in the command line to Sendmail and are thus also vulnerable to injections.

Jam session

Today, developers use session IDs to authenticate a valid browser connection. Although this mechanism is relatively secure, a defective implementation can quickly become a security hole. In general, you have to see whether session IDs have enough entropy, i.e. enough randomness. Hackers have no trouble getting a server to generate 100 IDs so they can analyse them or crack them with brute-force attacks [5] to detect a generator algorithm that is not random.

Specialized tools such as WebScarab (see below) can assist you in analysing your own IDs. The software collects session IDs from cookies and plots them graphically across time; session IDs contain a time component that hackers can take advantage of. It is thus easier to find irregularities and correlations. However, it is not easy to operate the software: the cookie has to be indicated in a somewhat unusual form -- domain.host/directory cookie-name -- and a test button has to verify whether the URL really provides the desired cookie via the set-cookie header. The value of the cookie can then be turned into a purely numeric form using regular expressions. Session IDs transmitted in URL parameters are then not as easy to check.

image 3 [384 x 339 Pixel @ 49,3 KB]
You have to tell Internet Explorer to use the local proxy to redirect all traffic to the testing tools.

When session IDs occur in GET requests, and this happens often enough, the results can be fatal. Such URLs then recur as references in log files on web servers, where they can be used as steppingstones to inboxes of unsuspecting surfers within an appropriate timeframe (before the timeout for the session).

Print Version | Permalink: http://h-online.com/-747167
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit