[13103] in bugtraq
WebWho+ ADVISORY
daemon@ATHENA.MIT.EDU (Cody T. - hhp)
Mon Dec 27 15:03:09 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7BIT
Message-Id: <19991226093620.BA0961EE87@lists.securityfocus.com>
Date: Sun, 26 Dec 1999 04:04:59 -0600
Reply-To: hhp@secure.usarmy.com
From: "Cody T. - hhp" <hhp@secure.usarmy.com>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
WebWho+ - ADVISORY.
hhp-ADV#13
11/26/99 2:48:03am CST
By: loophole
hhp@hhp.perlx.com - http://hhp.perlx.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
What?: Hole in WebWho+, a whois cgi.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Version(s)?: v1.1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Exploit!:
WebWho+ v1.1 checks for shell escape
characters in its 'command' parameter,
but what keeps us from changing the pre
seleted, default TLD options.
WebWho+ v1.1 does NOT check for shell
espace characters in its 'type'(TLD)
peremeter which is what is being
exploited.
The exploit is available to download via:
http://hhp.perlx.com/ourexploits/hhp-webwho.pl
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fix?:
Download a secure, shell espace character
parsing whois common gateway interface
from:
http://cgi.resourceindex.com/Programs_and_
Scripts/Perl/Internet_Utilities/Whois/
Read:
http://hhp.perlx.com/ouradvisories/hhp-Whois.txt
before deciding which is secure.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Shouts to all of hhp.
9d9->2t0(Boom/Repair/Glory);
------------------------------------------------
