cgi uaseradd script help

newuser455 · 01-29-2005, 04:00 PM

I have a script that adds users via a web form. Here it is:

Code:

#!/usr/bin/perl
###############
##   Moray   ##
###############
###
## Written for Cpellizzi.
## --Secesh
use strict;
use Expect;
## Use expect instead of perl Sudo module for <5.8.1 compatibility
use Crypt::Passwd;
my $DEBUG=1;

use CGI;
my $q = new CGI;
my $first = $q->param("first");
my $last = $q->param("last");
my $username = $q->param("username");
my $password = $q->param("password");
undef($q);

my $crypted_password = unix_std_crypt($password, "at");

if($username =~ /^([\w]+)$/) {
	## These both ONLY ACCEPT [a-zA-Z0-9]... meaning case-sensitive alpha-numeric
	## and NO special characters allowed.  This should limit system damagability to 
	## creation of users (which is the intended use...)
	if($password =~ /^([\w]+)$/) {
		## Do Nothing, password code is below...
	}else{
		print "Content-type: text/plain\n\n";
		print "Unacceptable password!\n";
		exit;
	}
}else{
	print "Content-type: text/plain\n\n";
	print "Unacceptable Username!\n";
	exit;
}
#print "$crypted_password\n";
my 	$system_command = "sudo /usr/sbin/useradd -m -p $crypted_password $username -c  "$first $last"";
if($DEBUG){
	print "Content-type: text/plain\n\n";
	print "Running --$system_command--: $0 as ";
	printf "%s.\n",(getpwuid($>))[0];
}
my $process = Expect->spawn($system_command) || die ("No go, $!\n");
$process->debug($DEBUG);
$process->log_stdout($DEBUG);
#$process->expect(undef);
if(not $DEBUG){
	print "Content-type: text/html\n\n";
print <<endHTML;
<html>
	<head>
		<title>Redirecting</title>
	</head>
	<body>
	<script type="text/javascript">
		<!-- //do we still really need to do this commenting?
		document.location="/add-success.html";
		// -->
	</script>
	</body>
</html>
endHTML
}

Above where you see: my $system_command = "sudo /usr/sbin/useradd -m -p $crypted_password $username -c "$first $last""; I need the quotes in the system comand, but when I add the quotes, it intefiers with the scripting and I get an internal server error. How can I keep the quotes, and not get an internal server error?

avarus · 01-29-2005, 05:58 PM

The simple answer is to just use single quotes : '$first $last'

But the problem with that is what if I give my last name as:

hack'; sudo rm -rf /*; '

Your script does not check for special characters in the names and happily nukes your entire machine!

I take it the original code is not yours. You should read perlfunc regarding spawning system commands(see under exec) and the multi-argument version, which is much more secure.

TIM

newuser455 · 01-29-2005, 06:08 PM

So you mean, someone could hack into the machine simply by entering that in the last name field? What if I did have a character check?

newuser455 · 01-29-2005, 06:29 PM

Ok, I have just modified the code by adding ' instead of " and by adding a check for these charaters ~ /^([\w]+)$/) {.

Code:

#!/usr/bin/perl
###############
##   Moray   ##
###############
###
## Written for Cpellizzi.
## --Secesh
use strict;
use Expect;
## Use expect instead of perl Sudo module for <5.8.1 compatibility
use Crypt::Passwd;
my $DEBUG=0;

use CGI;
my $q = new CGI;
my $first = $q->param("first");
my $last = $q->param("last");
my $username = $q->param("username");
my $password = $q->param("password");
undef($q);

my $crypted_password = unix_std_crypt($password, "at");

if($username =~ /^([\w]+)$/) {
	## These both ONLY ACCEPT [a-zA-Z0-9]... meaning case-sensitive alpha-numeric
	## and NO special characters allowed.  This should limit system damagability to 
	## creation of users (which is the intended use...)
	if($password =~ /^([\w]+)$/) {
		## Do Nothing, password code is below...
	}else{
		print "Content-type: text/plain\n\n";
		print "Unacceptable password! The characters ~ /^([\w]+)$/) { may not be used.\n";
		exit;
	}
}else{
	print "Content-type: text/plain\n\n";
	print "Unacceptable Username! The characters ~ /^([\w]+)$/) { may not be used.\n";
	exit;
}
if($first =~ /^([\w]+)$/) {
	## These both ONLY ACCEPT [a-zA-Z0-9]... meaning case-sensitive alpha-numeric
	## and NO special characters allowed.  This should limit system damagability to 
	## creation of users (which is the intended use...)
	if($last =~ /^([\w]+)$/) {
		## Do Nothing, password code is below...
	}else{
		print "Content-type: text/plain\n\n";
		print "Unacceptable last name! The characters ~ /^([\w]+)$/) { may not be used.\n";
		exit;
	}
}else{
	print "Content-type: text/plain\n\n";
	print "Unacceptable first name! The characters ~ /^([\w]+)$/) { may not be used.\n";
	exit;
}
#print "$crypted_password\n";
my 	$system_command = "sudo /usr/sbin/useradd -m -p $crypted_password $username -c '$first $last'";
if($DEBUG){
	print "Content-type: text/plain\n\n";
	print "Running --$system_command--: $0 as ";
	printf "%s.\n",(getpwuid($>))[0];
}
my $process = Expect->spawn($system_command) || die ("No go, $!\n");
$process->debug($DEBUG);
$process->log_stdout($DEBUG);
#$process->expect(undef);
if(not $DEBUG){
	print "Content-type: text/html\n\n";
print <<endHTML;
<html>
	<head>
		<title>Redirecting</title>
	</head>
	<body>
	<script type="text/javascript">
		<!-- //do we still really need to do this commenting?
		document.location="/add-success.html";
		// -->
	</script>
	</body>
</html>
endHTML
}

Is the script secure now?