Please never write C again. Half the office has taken sick leave after I showed them your code and I can't sleep at night anymore.
Anyway, all I could find was some segfaulting stuff. No exploitable buffer overflows, nothing to exploit in strfile or fortune or cowsay because those programs are niggerliciously simple and barely interact with the input, and no XSS possible because you strip <> and insert the text outside tags. So I'll just tell what I got for you.
First, you basically never allocate space for the \0
that C strings need at the end. The one time you do it's by accident because FCGX_GetLine
reads at most n-1
chars. Note that strlen
gives you the length except for the \0
will helpfully discard the \0
in the middle.
Second, don't assume the form data is valid. If you manually post julay
instead of fortune=world
, strstr(cowIn, "=")
returns a null pointer and you get a guaranteed crash further on.
Third, you don't filter occurrences of \n%\n
so you can add multiple fortunes in one request. Not that it matters for this demo, but just sayan.
Fourth, have some god damn decency when replacing characters in a string! No need to convert between pointers and offsets and have quadratic runtime:
for (char* c = strchr(cowStr, '>'); c != NULL; c = strchr(c+1, '>'))
*c = ')';
Keep freeing (exactly once) each address you malloc, unless you want memory leaks. As far as I can tell you're only getting segfaults due to allocating 1 byte too few for C strings.