Bugtraq mailing list archives
Re: Vulnrability in test-cgi...
From: espel () clipper ens fr (Roger Espel Llima)
Date: Mon, 2 Dec 1996 05:37:11 +0100
If you query test-cgi with http://server.com/cgi-bin/test-cgi?* Test-cgi pads the '*' with a '\' mark. Thus, the first line returned is: argc is 1. argv is \* And if you were to query with http://server.com/cgi-bin/test-cgi?/* The response would be: argc is 1. argv is \/* Interestingly enough, however, if query with http://server.com/cgi-bin/test-cgi?%0A/*, the result is: argc is 1. argv is \/* Although it should be: argc is 1. argv is \%0A/* You'll notice that the %0A (line break) command is executed BEFORE the characters are padded. In this way any command can be passed to test-cgi's first result field, and executed (within the cgi). It seems that all that would be needed to crack test-cgi would be to pass some kind of escape or break command to test-cgi in the %gobbledygook format. What would happen if several delete commands were passed?
Here at least, test-cgi is a /bin/sh script that contains only "echo" lines and one "/bin/env | /usr/ucb/fold -78". Whatever you put into $# and $*, no sane /bin/sh will execute an external program when evaluating the line: echo argc is $#. argv is "$*". so it seems to me that test-cgi is safe... -Roger -- e-mail: roger.espel.llima () ens fr WWW page & PGP key: http://www.eleves.ens.fr:8080/home/espel/index.html
Current thread:
- Vulnrability in test-cgi... Apropos of Nothing (Nov 30)
- denial of service attack on login NuNO (Dec 01)
- Re: Vulnrability in test-cgi... Roger Espel Llima (Dec 01)
- Little feature/bug in RedHat Linux Antti Andreimann (Dec 01)
- Users can modify routing in AIX 4.1 Dave Roberts (Dec 02)
- Re: Users can modify routing in AIX 4.1 Troy Bollinger (Dec 02)
- <Possible follow-ups>
- Re: Vulnrability in test-cgi... Jesus Altuve (Dec 02)
- Re: Vulnrability in test-cgi... Joe Zbiciak (Dec 02)
- /bin/ksh sparc code Kichang Yang (Dec 03)
- AltaVista Firewall for UNIX Sarah Keating (Dec 03)