htdig3-dev Security hole in htnotify


Geoff Hutchison (ghutchis@wso.williams.edu)
Sat, 19 Dec 1998 14:11:09 -0500 (EST)


Andrew and I just received a warning about a nasty vunerability in
htnotify. I'd like to move on this quickly and make a 3.1.0b4 release
ASAP. If someone could take a look at my patch, I'd apprecaite another few
sets of eyes. This is the recent update to htnotify.

The problem is that the contents of the htntofiy-email tag on HTML pages
is used directly as the address for the message. Since this is sent
directly to a command environment, even remote users could execute
commands with the permissions of the user running htnotify. :-(

The following patch should strip e-mail addresses down to legal characters
(i.e. [A-Z][a-z][0-9][.-_@]) and require sendmail to pick up the address
from the message itself.

-Geoff

*** htdig3/htnotify/htnotify.cc Thu Dec 3 23:13:52 1998
--- htdig3.dev/htnotify/htnotify.cc Fri Dec 18 01:40:29 1998
*************** void htnotify(DocumentRef &ref)
*** 212,222 ****
  void send_notification(char *date, char *email, char *url, char *subject)
  {
    /* Currently unused int fildes[2]; */
- String to = email;
  
      String command = SENDMAIL;
- command << " -F \"ht://Dig Notification Service\" -f ";
- command << config["htnotify_sender"];
  
      char *token = strtok(to, " ,\t\r\n");
      while (token)
--- 212,229 ----
  void send_notification(char *date, char *email, char *url, char *subject)
  {
    /* Currently unused int fildes[2]; */
  
+ // Before we do anything with the email address, we need to sanitize it.
+ static char ok_chars[] = "abcdefghijklmnopqrstuvwxyz\
+ ABCDEFGHIJKLMNOPQRSTUVWXYZ\
+ 1234567890_-.@";
+ char *cursor; // cursor into email address //
+
+ for (cursor = email; *(cursor += strspn(cursor, ok_chars));)
+ *cursor = '_'; // Set it to something harmless
+
+ String to = email;
      String command = SENDMAIL;
  
      char *token = strtok(to, " ,\t\r\n");
      while (token)
*************** void send_notification(char *date, char
*** 225,237 ****
        token = strtok(0, " ,\t\r\n");
      }
      
      FILE *fileptr;
      if( (fileptr = popen(command.get(), "w")) != NULL ) {
  
        if (!subject || !*subject)
! subject = "notification";
! String out;
! out << "From: " << config["htnotify_sender"] << "\n";
        out << "Subject: WWW notification: " << subject << '\n';
        out << "To: " << to.get() << '\n';
        out << "Reply-To: " << config["htnotify_sender"] << "\n";
--- 232,245 ----
        token = strtok(0, " ,\t\r\n");
      }
      
+ command << " -t";
      FILE *fileptr;
      if( (fileptr = popen(command.get(), "w")) != NULL ) {
  
        if (!subject || !*subject)
! subject = "page expired";
! String out;
! out << "From: ht://Dig Notification Service" << "\n";
        out << "Subject: WWW notification: " << subject << '\n';
        out << "To: " << to.get() << '\n';
        out << "Reply-To: " << config["htnotify_sender"] << "\n";



This archive was generated by hypermail 2.0b3 on Sat Jan 02 1999 - 16:29:54 PST