In the secure-dead-drop program provided here:
https://github.com/JeremyRuhland/secure-dead-drop/blob/master/index.cgi
there is a critical bug, which allows the overwriting of shell variables, enabling the attacker to execute system binaries with the rights of the webserver.

In line 173 of the program there is a call to a function:

cgi_getvars BOTH ALL

The function cgi_getvars will overwrite shell variables if the vars in post or get string will have corresponding names (like in: http://example.com/index.cgi&SHELL=%2Fbin%2Frm which would replace the shell variable SHELL with /bin/rm on the host example.com).

Replacing the call with one that only asks for specific variables would fix this problem, like this:

cgi_getvars BOTH var1 var2 var3 var4 var5

The author of the software has been informed and advised already earlier (for different reasons) against using it anymore (sounds to me like this bug will not be fixed).

Description of the program (from the github page):
"Introduction

We already know that all internet and phone traffic is being monitored. You cannot trust your email providers for private and anonymous access. Javascript is dangerous. Tor is broken in some circumstances. The PGP web-of-trust leaks user information in a dangerous way.

Let's fix some of that with software designed to let users of safe computers communicate over unsafe networks.

This webapp allows anonymous users to send messages to your inbox, which arrive signed and encrypted using PGP to ensure message integrity and privacy. Only SSL connections are permitted, which ensures encrypted communication between client and server."

Cheers

wed

Posted on def4.i2p

that should say :

http://example.com/index.cgi?SHELL=%2Fbin%2Frm

of course

Posted on def4.i2p

  To: anon
it's great you took the time to let the author know. what he does about it now is his business, but the word is out.
--- Synchronet 3.17a-Linux NewsLink 1.108
Posted on RetroBBS

He has put a comment on the github page:

"This code is not secure in the slightest and should never be used due to bash shell variable injection bugs.

If you are interested in it for historical purposes please check out the previous commit."

At least he is sincere about it and warns his potential users.

Posted on def4.i2p

anon wrote:

He has put a comment on the github page:

"This code is not secure in the slightest and should never be used due to

bash shell variable injection bugs.

If you are interested in it for historical purposes please check out the

previous commit."

At least he is sincere about it and warns his potential users.

it's good he did that even if abandoning it. shows some integrity on his part.



Posted on Rocksolid Light.

I would find it a bit annoying if it was only about this bug, since it is maybe a 10 min effort to fix it.
But he said already before that this should not be used anymore, due to shellshock et al.

Posted on def4.i2p

This tutorial here http://www.team2053.org/docs/bashcgi/postdata.html teaches the same wrong usage of the code.

I guess the use of bash for cgi is near extinct nowadays, so this will not have a big impact.

Posted on def4.i2p