Re: CGI source being exposed using "~"

[xm () GEEKMAFIA DYNIP COM (Jonathan Williams)]

This is behavior produced by the joe text editor. Remember kids:

        Its a FEATURE not a BUG/SECURITY_HOLE.

Ex Machina (xm () geekmafia dynip com)    http://geekmafia.dynip.com/~xm/
phone:  1-877-LPT-WHIP         icq:  3387005           aim:  ExMachina
GnuPG Keyprint:     0627 C3A8 DE25 F7FB 46BD  4870 2006 CF7F EBDA 949D

On Sun, 7 May 2000, Nathan Einwechter wrote:

> Date: Sun, 7 May 2000 15:02:21 -0400
> From: Nathan Einwechter <compsecure () SOFTHOME NET>
> To: VULN-DEV () SECURITYFOCUS COM
> Subject: CGI source being exposed using "~"
>
> Hello all,
>
> I have searched SecurityFocus and bugtraq archives to see if this is a known issue, but did not turn up anything. So, 
> I will post my questions here.
>
> Recently while playing on my local ISPs website I stumbled into, what is obviously, a security problem.
>
> This problem allows anyone to view and download the source for any of the CGI scripts on their site. All that I did, 
> was put a tild "~" at the end of the url to the cgi, and it popped up with the CGI source code, and some images etc, 
> which the code references to within. None of it is formated when you first view it. However, if you just view the 
> source of the page, right there infront of you, is the entire source code for the Perl CGI script.
>
> Now, the particular script I started to play around with, was one where you put in your username/password for the 
> ISP, to find out how many points you have for reffering customers. Based on the number of points you have collected, 
> you can purchase certain items for free.
>
> I was able to manipulate the vars etc, such that I could give myself thousands of these points, and if I really 
> wanted to, order the items.
>
> This is obviously a problem, but why is it occuring? As far as I can tell, the server is running on Apache 1.3.9 
> (linux).
>
> I stumbled onto this because of a page I found on the server (I can't remember for the life of me where it was). It 
> was a server generated page, that said something about base names, that there where 229, and displayed four links.
> http://server/cgi-bin/index.html
> http://server/cgi-bin/index.html~  [base]
> http://server/cgi-bin/index.cgi
> http://server/cgi-bin/index.cgi~   [base]
>
> I believe. The server has been contacted, but as of yet, nothing has come out of it. I would also like to note that 
> the servers web page is, in general, not secure once so ever. They have directory traversal problems et al.
>
> Yours truly
> Nathan Einwechter
>
> PS Please do not stereotype people whome are teenagers, and interested in security as "Crackers" or "Script Kiddies" 
> as many of us are not.