Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Vulnrability in test-cgi...

From: espel () clipper ens fr (Roger Espel Llima)
Date: Mon, 2 Dec 1996 05:37:11 +0100


If you query test-cgi with http://server.com/cgi-bin/test-cgi?*
Test-cgi pads the '*' with a '\' mark.  Thus, the first line returned is:
argc is 1. argv is \*
 And if you were to query with http://server.com/cgi-bin/test-cgi?/*  The
response would be:
argc is 1. argv is \/*
Interestingly enough, however, if query with
http://server.com/cgi-bin/test-cgi?%0A/*, the result is:
argc is 1. argv is
 \/*
Although it should be:
argc is 1. argv is \%0A/*
You'll notice that the %0A (line break) command is executed BEFORE the
characters are padded.  In this way any command can be passed to test-cgi's
first result field, and executed (within the cgi).  It seems that all that
would be needed to crack test-cgi would be to pass some kind of escape or
break command to test-cgi in the %gobbledygook format.  What would happen
if several delete commands were passed?


Here at least, test-cgi is a /bin/sh script that contains only "echo"
lines and one "/bin/env | /usr/ucb/fold -78".

Whatever you put into $# and $*, no sane /bin/sh will execute an external
program when evaluating the line:

  echo argc is $#. argv is "$*".

so it seems to me that test-cgi is safe...

        -Roger
--
e-mail: roger.espel.llima () ens fr
WWW page & PGP key: http://www.eleves.ens.fr:8080/home/espel/index.html
Previous By Date Next
Previous By Thread Next

Current thread: