Bugtraq mailing list archives

view-source

From: myst () LIGHT-HOUSE NET (myst)
Date: Sat, 8 Feb 1997 19:49:28 -0500

---------- Forwarded message from PLaGuEZ ----------
Date: Sat, 1 Jan 1994 04:01:53 +0100
From: PLaGuEZ <dube0866 () eurobretagne fr>
To: myst () light-house net

Hi.

I've just found a pretty ugly hole in view-source cgi-shell script.

   This script, which can be found  on some httpd distributions and
   in SCO Skunkware cdroms, is designed to display a given document
   located in $DOCUMENT_ROOT/$1 (where $DOCUMENT_ROOT is an
   environment variable set by the server).

Unhopefully view-source does not properly check the arguments.

   It is therefore possible to display any file on systems where
   view-source is world executable by sending something like

'http://www.server.com/cgi-bin/view-source?../../../../../../../etc/passwd&apos;

  Obviously this kind of so-called cgi has nothing to do in
  your cgi-bin directory... Maybe a day cgi will be secure ;)

Fix:
        rm -rf view-source
        _better_:   rm -rf cgi-bin/*

laters,

PLaGuEZ

-----------------------------------------------------
-          PLaGuEZ dube0866 () eurobretagne fr         -
-     http://home.virtual-pc.com/spartan/plaguez    -
-----------------------------------------------------

Current thread:

Re: [linux-security] Linux virus, (continued)
- Re: [linux-security] Linux virus Jim Dennis (Feb 05)
  - Re: [linux-security] Re: Linux virus Alan Cox (Feb 05)
  - Re: [linux-security] Re: Linux virus Leejay Wu (Feb 05)
- bliss version 0.4.0 nobody () INTERNIC NET (Feb 05)
- HPSBUX9702-052 Security Vulnerability in the rlogin executable Aleph One (Feb 05)
- [linux-security] Re: Linux virus Aleph One (Feb 06)
- setlocale() bug in all released versions of FreeBSD (SA-97:01) Aleph One (Feb 06)
- Wierd behavior of MS's NT4 DNS Jason T. Luttgens (Feb 07)
- New OFFICIAL patch for BSD/OS 2.1 (*SECURITY*) (fwd) Josh Gilliam (Feb 07)
- Bliss: The Facts Jared Mauch (Feb 08)
- view-source myst (Feb 08)
- IRIX: Bug in startmidi David Hedley (Feb 09)
  - Re: IRIX: Bug in startmidi Nafees Bin Zafar (Feb 09)
  - Security Advisory: A simple TCP spoofing attack Oliver Friedrichs (Feb 09)
    - Re: Security Advisory: A simple TCP spoofing attack Wietse Venema (Feb 12)
    - buffer overflow in configurable fingerd? M Shariful Anam (Feb 12)
    - Re: buffer overflow in configurable fingerd? Ken Hollis (Feb 12)
    - Security Bulletins Digest Aleph One (Feb 13)
    - Linux NLSPATH buffer overflow solar () IDEAL RU (Feb 13)
    - Re: Linux NLSPATH buffer overflow Alan Cox (Feb 14)
    - CIAC Bulletin H-27: HP-UX vgdisplay Buffer Overrun Vulnerability Aleph One (Feb 15)

(Thread continues...)