[3720] in bugtraq
Vulnrability in test-cgi...
daemon@ATHENA.MIT.EDU (Apropos of Nothing)
Sun Dec 1 23:33:54 1996
Date: Sat, 30 Nov 1996 13:46:42 -0500
Reply-To: Apropos of Nothing <apropos@sover.net>
From: Apropos of Nothing <apropos@sover.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
If you query test-cgi with http://server.com/cgi-bin/test-cgi?*
Test-cgi pads the '*' with a '\' mark. Thus, the first line returned is:
argc is 1. argv is \*
And if you were to query with http://server.com/cgi-bin/test-cgi?/* The
response would be:
argc is 1. argv is \/*
Interestingly enough, however, if query with
http://server.com/cgi-bin/test-cgi?%0A/*, the result is:
argc is 1. argv is
\/*
Although it should be:
argc is 1. argv is \%0A/*
You'll notice that the %0A (line break) command is executed BEFORE the
characters are padded. In this way any command can be passed to test-cgi's
first result field, and executed (within the cgi). It seems that all that
would be needed to crack test-cgi would be to pass some kind of escape or
break command to test-cgi in the %gobbledygook format. What would happen
if several delete commands were passed?
I'd be interested to know what some of you can do with this.
apropos of nothing
