[3146] in WWW Security List Archive
Test-cgi flaw
daemon@ATHENA.MIT.EDU (htorgema@novice.uwaterloo.ca)
Sun Oct 6 10:35:49 1996
From: htorgema@novice.uwaterloo.ca
Date: Sun, 6 Oct 1996 08:28:59 -0400 (EDT)
Reply-To: htorgema@novice.uwaterloo.ca
To: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
I noticed an odd thing in the "test-cgi" cgi given with the standard
configuration of the NCSA and apache httpd (and probably others too):
the line:
echo QUERY_STRING = "$QUERY_STRING"
contains "" to prevent someone to send a URL like
http://foo.org/cgi-bin/test-cgi?*
to browse the content of the cgi-bin directory ( and possibly
the content of any other directory)
But then why is this line not patched?
echo CONTENT_TYPE = $CONTENT_TYPE
It is quite easy to obtain the same result by using this field,
by sending a "Content-type: *" line to the server,
and the mime-type requested is generally not logged by the server,
so these actions are much harder to detect.
BTW, the same trick works with the CONTENT_LENGTH variable, and probably
with other variables too..
And it is possible that some other CGIs have the same problem.
I simply don't understand why CGI script authors don't put all their
variables between "".
---------------
Henri Torgemane http://www.undergrad.math.uwaterloo.ca/~htorgema/
Never let your sense of morals prevent you from doing what is right.
-- Salvor Hardin, "Foundation"
