Bugtraq mailing list archives
May SysAdmin man.sh security hole
From: aleph1 () NATIONWIDE NET (Aleph One)
Date: Sat, 16 May 1998 10:41:43 -0500
---------- Forwarded message ---------- Date: Fri, 15 May 1998 11:28:07 -0700 From: Robert Moniot <moniot () pascal dsm fordham edu> Subject: May SysAdmin man.sh security hole Newsgroups: comp.security.unix The May 1998 issue of SysAdmin Magazine contains an article, "Web-Enabled Man Pages", which includes source code for very nice cgi script named man.sh to feed man pages to a web browser. The hypertext links to other man pages are an especially attractive feature. Unfortunately, this script is vulnerable to attack. Essentially, anyone who can execute the cgi thru their web browser can run any system commands with the user id of the web server and obtain the output from them in a web page. I have notified the author, and he has undertaken to replace the code posted on the www.samag.com website with corrected code, but in the meantime here is a patch that I believe closes the security hole. 48,49c48,50 < sub(/\=/, "=\"", x) < sub(/$/, "\"", x) ---
gsub(/[^-_=+%a-zA-Z0-9]/, ".", x) # strip out any funny chars sub(/\=/, "='"'"'", x) # quote rhs in apostrophes sub(/$/, "'"'"'", x)
51,52c52,53 < gsub(/\+/, " ", x) < print x ---
gsub(/\+/, " ", x) # change + to space if( x ~ /^(man|srch)=/ ) print x
Current thread:
- Re: Bay Networks Security Hole Berislav Todorovic (May 11)
- <Possible follow-ups>
- Re: Bay Networks Security Hole Kirby Dolak (May 14)
- Re: Bay Networks Security Hole Gert Doering (May 14)
- security holes, notification protocols, and a clarification Michael Tiemann (May 14)
- pingflood.c AntireZ (Apr 09)
- Re: pingflood.c Solar Designer (May 18)
- Toshiba notebooks BIOS password backdoor Rop Gonggrijp (May 15)
- Re: Toshiba notebooks BIOS password backdoor Aleph One (May 15)
- May SysAdmin man.sh security hole Aleph One (May 16)
- kde exploit Catalin Mitrofan (May 16)
- Re: kde exploit Aleph One (May 16)
- Re: security holes, notification protocols, and a clarification Elmer Joandi (May 15)
- Re: security holes, notification protocols, and a clarification Nathan Neulinger (May 15)