Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Vulnerability in infosrch.cgi

From: jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)
Date: Wed, 24 May 2000 13:57:21 -0400


_______________________________________________________________________
                    SGI Security Advisory

            Title: Vulnerability in infosrch.cgi
                    Number: 20000501-01-P
                      Date: May 22, 2000
_______________________________________________________________________


[snip]


- --------------------------
- --- Temporary Solution ---
- --------------------------

Although patches are available for this issue, it is realized that
there may be situations where installing the patches immediately may
not be possible.

The steps below can be used to disable the infosrch.cgi(1) program to
prevent exploitation of this vulnerability until patches can be
installed.


I've been dragging my feet on getting this out, I should have when the
vulnerability first came out. It's surprising that SGI doesn't mention the
Netscape server ACLs that you can use to prevent this. Given that most
SGI's out there using the online manpages are *workstations* this is a
safe fix. Note that the ACLs will disable anyone else from getting to the
web server and associated materials. (But hey, if you're using an SGI/IRIX
webserver without securing it, you deserve what you get.)

By default, the server software lives in /usr/ns-home. We can use the ACLs
built into the server solution. Simply edit your magnus.conf file (and
replace workstation with the system's name) and add the following line:

file /usr/ns-home/httpd-workstation/config/magnus.conf:

ACLFile /usr/ns-home/httpacl/generated.httpd-workstation.acl

Then create or edit the file as needed (note the \ to point out the line
wrap, it's all one line in the file). Change "workstayion" to your
system's name and 10.1.2.3 to your system's IP address:

file: /usr/ns-home/httpacl/generated.httpd-workstation.acl:

ACL httpd-workstation_formgen-WRITE-ACL_deny-3633 (PUT, DELETE, MKDIR, \
RMDIR, MOVE) {
        Default deny anyone;
}

ACL httpd-workstation_formgen-READ-ACL_allow-3633 (GET, HEAD, POST, INDEX)
{
        Default deny anyone;
        Default allow anyone at (127.0.0.1, 10.1.2.3);

I have used this and found that it stops people from perusing the
infosrch.cgi script and thwarts the exploit (note the 500 error, I
believe this was posted to INCIDENTS recently):

pedgr827.sn.umu.se - - [22/Apr/1999:07:07:54 -0400] "GET 
/cgi-bin/infosrch.cgi?cmd=getdoc&db=man&fname=|/bin/echo%20$HTTP_X|/bin/sh%20-s HTTP/1.0" 500 305

----------[ Availability of 6.5.8

Secondly, I noticed yesterday that the relstream on the SGI FTP server
patches.sgi.com was inaccessable. A quick email to SGI had me pointed to
    http://support.sgi.com/colls/patches/tools/relstream/index.html
(thanks to Alexander Icasiano at SGI). I hope this helps. The relstream
directory still shows up emtpy as of 1:45 EDT Wednesday.

I hope this helps. There may be a bit more to it, it's been a long time
since I installed this ACL. Some kind soul pointed this out to me years
ago on Usenet, and I was unable to find the messages in the Deja archives.
Thank, whoever you are.

jose nazario                                    jose () biochemistry cwru edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Previous By Date Next
Previous By Thread Next

Current thread: