Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
CGI environment variables need a prefix #249
These details were reported by Daniel Hodson at Elttam: https://www.elttam.com.au/blog/ in some excellent security research.
This issue can result in a remote code execution vulnerability on Linux with CGI dynamically linked programs.
The GoAhead CGI handler accepts HTTP query and form data parameters and creates CGI environment variables for each parameter. On Linux, if a parameter of the name LD_PRELOAD is supplied and set to the standard input, the POST data may be accepted as code and may be pre-loaded into dynamically linked CGI processes before they run. This permits arbitrary code injection into the CGI process on Linux.
To exploit the vulnerability, an attacker would create a HTTP CGI request that sets LD_PRELOAD=/proc/self/fd/0 in the query string and sets the POST data of the request to be in the form of a malicious shared library for the architecture of the device.
Here is an isolated patch that can be applied immediately.
As part of a more general and robust solution, a new main.me property "cgiVarPrefix" is added in 3.6.5.
When the prefix is set to “CGI_” (the default), all user supplied query and form variables are prefixed with CGI_. This will require changes to your CGI programs to expect this prefix. It is recommended that users do this.