The danger of a web server writeable document area

May 23, 2007

Once you have CGI programs running through your web server, you might rationally ask why allowing them to write into the web server's document area adds any extra danger: after all, if a CGI program is compromised, the attacker gets to run all the code they want anyways.

Well, in theory. The flaw in this theory is that there are different kinds of vulnerabilities.

In practice it turns out that 'file dropper' vulnerabilities, where a CGI program (especially PHP programs) can be tricked into writing attacker-supplied files to an attacker-supplied location, are much more common than code execution vulnerabilities, where an attacker can make your CGI actually run their code. In a sense, this shouldn't be too surprising; many CGI programs already write files and thus just need to be tricked about where to put them and what to put in them, but few dynamically execute code to start with.

(Dynamic code execution gets most of the press anyways for various reasons, including that it is the most dangerous sort of vulnerability.)

If you have a file dropper exploit and can write to some place where the files will be executed, you can bootstrap to running your own code; the classical case is to drop PHP files into the document area of a web server that runs PHP. Nor are you entirely safe with a static file document area; planting HTML files is enough to infect your web site with spam pages and attempts to exploit browser vulnerabilities, both of which can be lucrative activities.

And even if an attacker has fully compromised a CGI program, they may want to stick their own program into your web server setup so that they can hide better. Often exploiting the CGI's vulnerability may leave very odd log messages that you might notice in time, whereas with their own crafted program the cracker can just send bland looking POST requests and you'll never be the wiser.

(For example, something we saw here dropped a Bzip.php file into a directory that already had legitimate Tar.php and Zip.php files. The meticulous will notice this anyways, but more casual people could overlook it for some time.)

Written on 23 May 2007.
« A case for breaking the web server ownership guidelines
Firefox preferences settings that I use »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Wed May 23 22:29:07 2007
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.