[3593] in WWW Security List Archive
Re: test-cgi
daemon@ATHENA.MIT.EDU (Tim O'Shea [tmo])
Wed Nov 20 01:58:52 1996
Date: Wed, 20 Nov 1996 00:02:03 -0500 (EST)
From: "Tim O'Shea [tmo]" <tmoshea@mailbox.syr.edu>
To: Steff Watkins <Steff.Watkins@Bristol.ac.uk>
cc: www-security@ns2.rutgers.edu
In-Reply-To: <Pine.SOL.3.91.961118131107.9467A-100000@sol.star.bris.ac.uk>
Errors-To: owner-www-security@ns2.rutgers.edu
On Mon, 18 Nov 1996, Steff Watkins wrote:
> Hello,
>
> excuse my ignorance but......
>
> What possible 'security' risk could there be in setting the CONTENT_TYPE
> (or CONTENT_LENGTH) variables???
As the test-cgi script does not delimit the CONTENT variables with quotes,
adding in particular string options to these fields could bypass script
security and gain file listings from the web server. These listings could
give enough info to determine other scripts in the directory or server
file structures. I'm sure there are more detailed explanations available
and I might be missing part of the story, but I think this is the general
idea.
(Brief 'for instance')
1. Your server has test-cgi (most implementations I have come across have
this by default
2. The content lines are not set with quotes in the script
3. I send the appropriate string to your test-cgi script through the
content field (see previous examples)
4. test-cgi sends me an output listing of your cgi-bin directory.
5. I find that you have another script or scripts which I know have bugs
and I take advantage of them.
Simplistic, sure, but I would be able to go from there. Little chinks in
the armor is all it takes.
Tim.who.thinks.he's.getting.it
