[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Potential security issue with LedgerSMB (inherited from SL)

Greetings folks,

I've noticed something a while back, that's been in the back of my
mind that I think needs addressing as a potential security problem
(well, there are lots really, but this one might be critical).

 In many places through the code, Dieter used 'if
($ENV{HTTP_USER_AGENT})' to determine if the user is accessing the
site via a web browser or command line. This, of course is a bad
assumption to make, because the user can easily not provide a user
agent, and this will be false. The real question is, is this being
used in a dangerous way? I'm betting that it just might be.

I used this script to display the $ENV:

 #!/usr/bin/perl -W
 use Data::Dumper;
 print "Content-type: text/html\n\n<pre>";
 print Dumper( \%ENV );
 print "</pre>";

and it spewed out a bunch of ENV vars:

$VAR1 = {
         'SCRIPT_NAME' => '/ledger-smb/foo.pl',
         'SERVER_NAME' => 'home.corporateunderground.org',
         'SERVER_ADMIN' => '..hidden..',
         'HTTP_ACCEPT_ENCODING' => 'gzip,deflate',
         'HTTP_CONNECTION' => 'keep-alive',
         'REQUEST_METHOD' => 'GET',
         'HTTP_ACCEPT' =>
         'SCRIPT_FILENAME' => '/home/chris/ledger-smb/trunk/foo.pl',
         'SERVER_SOFTWARE' => 'Apache/2.2.2 (Fedora)',
         'HTTP_ACCEPT_CHARSET' => 'ISO-8859-1,utf-8;q=0.7,*;q=0.7',
         'QUERY_STRING' => '',
         'REMOTE_PORT' => '53882',
         'SERVER_PORT' => '80',
         'SERVER_SIGNATURE' => ' Apache/2.2.2 (Fedora) Server at
home.corporateunderground.org Port 80',
         'HTTP_ACCEPT_LANGUAGE' => 'en-us,en;q=0.5',
         'REMOTE_ADDR' => '',
         'HTTP_KEEP_ALIVE' => '300',
         'SERVER_PROTOCOL' => 'HTTP/1.1',
         'PATH' => '/sbin:/usr/sbin:/bin:/usr/bin',
         'REQUEST_URI' => '/ledger-smb/foo.pl',
         'GATEWAY_INTERFACE' => 'CGI/1.1',
         'SERVER_ADDR' => '',
         'DOCUMENT_ROOT' => '/home/chris/public_html',
         'HTTP_HOST' => 'home.corporateunderground.org'

Now, the question is, do we use a different $ENV var to detect HTTP
connection from above, or do we use another means? Either way, the 'if
($ENV{HTTP_USER_AGENT})' is wrong if not dangerous. As you can see
from above, this was the output when I ran the script with a custom
user agent via the Firefox extension 'User Agent Switcher', notice the
lack of the HTTP_USER_AGENT variable.

We might want to warn Dieter about this, although from the experience
of the last security notice (both behind the scenes first and after
the public disclosure), I'm not sure if he'll take it seriously. So,
unfortunately, this might just be a waste of our time. Tony, your
rapport with Dieter seems to be better, maybe you might want to let
him know after we've determined if this is serious or not.