Penetration Testing mailing list archives
Re: Python CGI interpreter phys.path vuln on Win32 ?
From: Marco van Zanten <marco.van.zanten () cgey nl>
Date: Wed, 24 Oct 2001 10:34:30 +0200
Kristian, Maybe you can try to write your own cgi script in which you use the python interpreter of the server , you know the exact path now. Link this to a local html page and execucte your code on the remote machine. Good luck, Marco Kristian Franzen wrote:
Mailer: SecurityFocus All, I'm currently pen-testing a clients web-application running on IIS 4 & 5. They have implemented the logic in their website using CGI scripts written in Python. When addressing a non-existent CGI script in the /cgi- bin folder (or other executable folders that contain CGI's) the webserver reveals the physical path of both the Python interpreter as well as the non- existent cgi-script. The output looks somewhat like: <c:\program files\python\python.exe: can't open file 'c:\inetpub\wwwroot\cgi-bin\fakefile.cgi'> Has anyone experienced this,and has anyone figured out which versions of the Python interpreter that are vulnerable to this ? In addition, with some playing around with other characters in the URL preceeding the fake cgi, like /cgi-bin/""test&20fakefile.cgi, the resulting output turns: <c:\program files\python\python.exe: can't open file 'c:\inetpub\wwwroot\cgi-bin\test'> Interesting... (could this be exploited furhter, to have the interpreter execute other stuff ?) I've harvetsted various newsgroups for references to these issues, though without success. Any help or input greately appreciated. Cheers, Kristian kristian.franzen () trs mine nu ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Attachment:
marco.van.zanten.vcf
Description: Card for Marco van Zanten
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Python CGI interpreter phys.path vuln on Win32 ? Kristian Franzen (Oct 12)
- Re: Python CGI interpreter phys.path vuln on Win32 ? Joerg Over (Oct 12)
- Re: Python CGI interpreter phys.path vuln on Win32 ? Marco van Zanten (Oct 24)