Re: Vulnrability in test-cgi...

[im14u2c () cegt201 bradley edu (Joe Zbiciak)]

And then Jesus Altuve went and said something like this:

|
|Safe??? there's a way to inventory the files on a server using the TEST-CGI
|program! (on certain setups) here's the advisory L0pth released on April..

[...]

|On many web sites there exists a file called test-cgi (usually in
|the cgi-bin directory or somewhere similar). There is a problem
|with many of these test-cgi files. If your test-cgi file contains
|the following line (verbatim) then you are probably vulnerable.
|
|echo QUERY_STRING = $QUERY_STRING
|
|All of these lines should have the variables enclosed in loose
|quotes ("). Without these quotes certain special characters
|(specifically '*') get expanded where they shouldn't.


Perhaps a better fix is to disable "globbing" altogether, unless it's
absolutely required.  Under bourne-derived shells, this is done with

set -f

Indeed, this closes up the hole for all of the non-quoted strings.
An even better fix:  remove test-cgi.  :-)  Of course, that doesn't
work for the cases when you do use a shell script for some trivial
web task.  Disabling shell globbing, except as-needed, is a good measure
in general for CGI scripts.

--Joe
--
                                                :======= Joe Zbiciak =======:
                                                :- - im14u2c () bradley edu - -:
    "Puritanism is the haunting fear that       : - - - - - http: - - - - - :
     someone, somewhere, might be happy."       ://ee1.bradley.edu/~im14u2c/:
         --H. L. Mencken                        :======= DISCLAIMER: =======:
                                                :== You mean you actually ==:
                                                :== listen to this stuff? ==:
(655:834 6:15)