Bugtraq mailing list archives
"The Finger Server"
From: iwade () OPTUSNET COM AU (Iain Wade)
Date: Fri, 4 Feb 2000 22:36:55 +1100
Hello, Late last year I was tinkering w/ The Finger Server v0.82 and came across some bugs which let you execute shell commands under the privileges of the web server. It's available at http://www.glazed.org/finger/ I sent a number of messages to the Author but never received a reply .. I just remembered about it and checked it was still vulnerable and still being used around the net. It is. It's just another case of perl doing it's magic on an open() call. I haven't by any means audited the code, so there is undoubtably other problems, but here's the offending code I exploited: open (PLANS, "$plan_path$filename") || do { print "Can't open $plan_path$filename: $!"; return; }; It is called with the following arguments; finger.cgi?action=archives&cmd=specific&filename=99.10.28.15.23.username.plan It does minimal checking before there, really only making sure the username is valid, but for example by using: finger.cgi?action=archives&cmd=specific&filename=99.10.28.15.23.username.|<shell code>| you can execute whatever .. The server I was testing it on was running UBB, and I was easily able to use this to grab a couple of thousand accounts since it stores them in cleartext. (I promptly forgot those passwords .. it wouldn't be nice to do otherwise right? :) Regards, -- Iain Wade iwade () optusnet com au
Current thread:
- "The Finger Server" Iain Wade (Feb 04)
- <Possible follow-ups>
- Re: "The Finger Server" Iain Wade (Feb 05)