[11886] in bugtraq
Re: CGI security
daemon@ATHENA.MIT.EDU (Ivo van der Wijk)
Tue Sep 14 01:38:35 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19990913104942.J22166@kopje.koffie.nu>
Date: Mon, 13 Sep 1999 10:49:42 +0200
Reply-To: Ivo van der Wijk <ivo@ivo.ig.net>
From: Ivo van der Wijk <ivo@ivo.ig.net>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <01BEFD05.3DC902C0.kerb@fnusa.com>; from Kerb on Sun, Sep 12,
1999 at 09:57:35AM -0500
On Sun, Sep 12, 1999 at 09:57:35AM -0500, Kerb wrote:
> I just read most of the Phrack article about CGI security, and it made me
> wonder about another possible exploit.
> You'll have to correct me if I am wrong, as I am not real familiar with C, but
> would it be possible to throw an EOF
> character into a string? Maybe a query string? Now that doesnt sound all that
> great as is, but if you think about it,
> URL's are logged into the web logs, and a lot of administrators either have a
> program or just grep the access_log for
> attempts to exploit CGI vulnerabilities (scanners, etc). Now this is where it
> gets good. Would it be possible to
> tack an EOF file into a query string on a normal request, even for a static
> page (/index.html?EOF), then follow up
> with an exploit? That way, if it works as I think it might, then when the log
> file is checked, it finds that EOF character
> and stops there, thinking it is the end of the file. That would effectively
> cover your tracks. As a CGI programmer,
> I'd appreciate any feedback.
>
EOF characters don't exist (at least not on Un*x) - a file ends when all of its
bytes have been read.
Ivo
