[19144] in bugtraq
Environment and Setup Variables can be Viewed through webpage.cgi
daemon@ATHENA.MIT.EDU (UkR-XblP�)
Mon Feb 12 17:09:38 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="KOI8-R"
Content-Transfer-Encoding: 8bit
Message-Id: <web-16665278@backend2.aha.ru>
Date: Mon, 12 Feb 2001 17:16:14 +0300
Reply-To: UkR-XblP� <cuctema@OK.RU>
From: UkR-XblP� <cuctema@OK.RU>
To: BUGTRAQ@SECURITYFOCUS.COM
Name: Environment and Setup Variables can be Viewed through
webpage.cgi
Date: 28.01.2001
Problems:The script allows several environment variables to
be viewed by the attacker, who can gain useful information
on the site, making further attacks more feasible.
Analysis:webpage.cgi dumps useful information (e.g. script
location, HTTP root, version of Perl, server_admin,
server_name, path) to the browser when the database file
provided is incorrect. Exploits: If site does not contain a
file named ukr.htm, thus the following URL displays the
environment dump (note: this url may not work as the vendor
has applied the patch to the site. However, a similar url,
when applied within the necessary modifications to an
unprotected site would yield the desired result.)
Author: UkR_XblP
Exploit: http://www.victim.org/cgi-bin/replicator/webpage.cgi/313373/ukr.htm
Get your free e-mail address at http://www.zmail.ru
