[2120] in WWW Security List Archive
Re: CGI Security Problem (fwd)
daemon@ATHENA.MIT.EDU (Gene Ingram)
Mon May 20 16:58:20 1996
Date: Mon, 20 May 1996 10:35:05 -0700
From: Gene Ingram <gene@hpfsvr01.cup.hp.com>
Reply-To: www-security@ns2.rutgers.edu, Gene Ingram <gene@hpfsvr01.cup.hp.com>
To: www-security@ns2.rutgers.edu
Cc: Lincoln Stein <lstein@genome.wi.mit.edu>
Errors-To: owner-www-security@ns2.rutgers.edu
-----BEGIN PGP SIGNED MESSAGE-----
Lincoln Stein wrote:
>
> I just got this note from a reader of the WWW Security FAQ. I haven't
> confirmed the problems with CGITap yet, but you might want to watch
> out for this script.
>
> Lincoln
>
> Forwarded message:
> > From daemon Sat May 18 03:26:30 1996
> > Message-Id: <m0uKgOx-0010btC@vista.hevanet.com>
> > Comments: Authenticated sender is <maurice@mail.hevanet.com>
> > From: "Maurice L. Marvin" <maurice@hevanet.com>
> > To: lstein@genome.wi.mit.edu
> > Date: Sat, 18 May 1996 00:14:08 -0700
> > Subject: CGI Security Problem
> > Reply-To: maurice@hevanet.com
> > Priority: normal
> > X-Mailer: Pegasus Mail for Windows (v2.23)
> >
> > Hello Lincoln. There is a CGI script
> > named CGITap (http://scendtek.com/cgitap/), which
> > I believe has a serious security problem.
> >
> > I have notified the author, but have not
> > received a reply yet. I am notifying you because
> > of the potentially wide-spread distribution of this
> > program (it is referenced in the May edition of
> > WebSmith, page 45).
> >
> > The program does not remove or escape
> > metacharacters from the user supplied data prior to
> > being passed to the shell, and as such, I've been able
> > to execute several arbitrary commands.
> >
> > Best Regards,
> >
> > Maurice L. Marvin <maurice@hevanet.com>
> >
I know this is going to sound obvious but here goes: Is it safe
to hit the above site to see what it does, or was your warning
indicating that one should *not* hit it unless of course you're a
security guru interested in studying the problem. I thought about
hitting the site http://scendtek.com/cgitap/ but it occurred to me
this *might not be* a ``demo'' but in fact the live macoy, and as
such I'm concerned about any trouble penetrating our firewall.
Sorry if I misunderstood your post and this question sounds
redundant, won't hit it pending your reply. Thanks.
Gene
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMaCsuM4N33uf66GRAQHZbwP+LkOEI6PfHi8C1oKDPZ8+iSSPvcGvwGGQ
I8sJAMYquNz6rPrm0pLCiwEbMwWiLBgiom5PKHHqWzz/+T/qb1KTsRgRr6FWaLN3
gIT8inOAkRTK3n7Sv1w9PSqoS22bqz9PSq2q6V/dWJQIXFmhaBc9GaDhRLckKNr3
4tw/1wL7088=
=rjYJ
-----END PGP SIGNATURE-----
--
``Imagine if every Thursday your shoes exploded if you tied them
the usual way. This happens to us all the time with computers,
and nobody thinks of complaining.'' -Jeff Raskin
______ gene@cup.hp.com
/\__ _\ ingram@pubs.holosys.com
\/_/\ \/ ___ __ _ __ __ ___ ___
\ \ \ /' _ `\ /'_ `\/\`'__\/'__`\ /' __` __`\
\_\ \__/\ \/\ \/\ \L\ \ \ \//\ \L\.\_/\ \/\ \/\ \
/\_____\ \_\ \_\ \____ \ \_\\ \__/.\_\ \_\ \_\ \_\
\/_____/\/_/\/_/\/___L\ \/_/ \/__/\/_/\/_/\/_/\/_/
/\____/
________________________\_/__/____________________________________
PGP UserID: "Gene Ingram <gene@cup.hp.com>"
Key Size: 1024 bits; Creation date: 21 March 1996; KeyID: 9FEBA191
Key fingerprint: 93 E1 15 E6 35 BC B2 84 B2 7B 39 76 29 72 32 72
--3D signature created courtesy of ``Figlet Ascii Font Converter''
<http://mediacube.datacom.de/cgi-bin/moniteurs/figlet>
