help me for the error in perl script

jigar_halani · #1 (**permalink**) 04-18-05, 02:59 AM

hello everybody,

I have a script running on the server which is as bellow.....

#!/usr/bin/perl

$ShowDynamicOutput = 1;
read(STDIN,$temp,$ENV{'CONTENT_LENGTH'});
@pairs=split(/&/,$temp);
foreach $item(@pairs)
{
($key,$content)=split(/=/,$item,2);
$content=~tr/+/ /;
$content=~s/%(..)/pack("c",hex($1))/ge;
$fields{$key}=$content;
}
sub ExecuteCommand
{
$Command = `cluster "$fields{command}"`;
#$Command = `cluster "service network restart"`;
if($ShowDynamicOutput) # show output as it is generated
{

$|=1;
$Command .= " |";
open(CommandOutput, $Command);
while(<CommandOutput>)
{
$_ =~ s/(\n|\r\n)$//;
print "$_\n";
}
$|=0;
}
else # show output after command completes
{
print `$Command`;
}
}
&ExecuteCommand;
$command=`$fields{command}`;
print "Content-type: text/html\n\n";
print "<HTML>\n";
print "<BODY BGCOLOR=#FFFFFF>\n";
print "$fields{command}";
print "$fields{command}";
print "$command";
print "Thank you";
print "<CENTER>\n";
print "your command is executed<BR>\n";
print "</CENTER>\n";
print "</BODY></HTML>";

now when i am passing a query from web-brouser of windows in command button "service network restart"

i will get the follwoing error in the /var/log/messages

Mar 30 01:24:27 node2 ifdown: Users cannot control this device.
Mar 30 01:24:27 node2 network: Shutting down interface eth0: failed
Mar 30 01:24:28 node2 ifdown: Users cannot control this device.
Mar 30 01:24:28 node2 network: Shutting down interface eth1: failed
Mar 30 01:24:28 node2 ifdown: Users cannot control this device.
Mar 30 01:24:28 node2 network: Shutting down loopback interface: failed
Mar 30 01:24:28 node2 sysctl: error: permission denied on key 'net.ipv4.ip_forward'
Mar 30 01:24:28 node2 sysctl: error: permission denied on key 'net.ipv4.conf.default.rp_filter'
Mar 30 01:24:28 node2 sysctl: error: permission denied on key 'kernel.sysrq'
Mar 30 01:24:28 node2 sysctl: error: permission denied on key 'kernel.core_uses_pid'
Mar 30 01:24:28 node2 network: Setting network parameters: succeeded
Mar 30 01:24:28 node2 ifup: Users cannot control this device.
Mar 30 01:24:28 node2 network: Bringing up loopback interface: failed
Mar 30 01:24:28 node2 ifup: Users cannot control this device.
Mar 30 01:24:28 node2 network: Bringing up interface eth0: failed
Mar 30 01:24:28 node2 ifup: Users cannot control this device.
Mar 30 01:24:28 node2 network: Bringing up interface eth1: failed

could u plz help mee

regards
jigar

Chas · #2 (**permalink**) 04-19-05, 02:49 PM

There's a couple of problems with this. First, the script is running under the same user that Apache is running under which doesn't (nor shouldn't) have enough privileges to execute those commands. That's why your script is failing now. Second, what happens when someone sends a query sting like this to you script:

Code:

script.cgi?command=
rm%20-rf%20%2F

That aint a good thing. This is generally something that I would avoid at all costs. If I absolutely had to run a system command from a cgi I would hard code the commands into the script and use keys to access them. I would also make sure I taint check any other input required to dun those commands.

~Charlie