Re: CGI insecurities

[taylord () INFOSECURE COM AU (David Taylor)]

On Mon, 24 Jan 2000, hypoclear - lUSt - (Linux Users Strike Today) wrote:

> I have a question about CGI insecurities.  Let's suppose this...  Your
> looking at a site with some CGI forms that do a couple of neato things,
> and most likely there is a vulnerability in these scripts.  How would
> one go about exploiting these scripts?  (I'm not talking about pumping
> 1000 A's into it, till it crashes. ;-)  Do you need the source code for
> the script?  Is there anyway to retrieve the code of the working script
> on the site?  I'm posting to vuln-dev because I believe that it will
> help aid in the exploiting of CGI scripts...  of course I could be wrong

The source code for the CGI application will certainly help you find
vulnerabilities within it.  A properly configured web server will not
allow you to retreive the source code.  However, not all web servers are
properly configured right?  Look through the Bugtraq archive for the
::$DATA vulnerability in IIS.  Also, if you have local unprivileged access
to the web server you might have read perms on the CGI source.

Another thing to keep in mind is that a lot of commonly used CGI's are
free and can be downloaded from the web, or from the web server vendor.
Failing this, you have to start making educated guesses about the logic
behind the CGI, and how it could be exploited.  (This is the bit where
1000 A's becomes appropriate).

Dave Taylor