[3721] in bugtraq
Re: Vulnrability in test-cgi...
daemon@ATHENA.MIT.EDU (Roger Espel Llima)
Mon Dec 2 01:08:33 1996
Date: Mon, 2 Dec 1996 05:37:11 +0100
Reply-To: Roger Espel Llima <espel@clipper.ens.fr>
From: Roger Espel Llima <espel@clipper.ens.fr>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <v03007800aec5e59b19dd@[204.71.18.177]> from "Apropos of Nothing"
at Nov 30, 96 01:46:42 pm
>> If you query test-cgi with http://server.com/cgi-bin/test-cgi?*
>> Test-cgi pads the '*' with a '\' mark. Thus, the first line returned is:
>> argc is 1. argv is \*
>> And if you were to query with http://server.com/cgi-bin/test-cgi?/* The
>> response would be:
>> argc is 1. argv is \/*
>> Interestingly enough, however, if query with
>> http://server.com/cgi-bin/test-cgi?%0A/*, the result is:
>> argc is 1. argv is
>> \/*
>> Although it should be:
>> argc is 1. argv is \%0A/*
>> You'll notice that the %0A (line break) command is executed BEFORE the
>> characters are padded. In this way any command can be passed to test-cgi's
>> first result field, and executed (within the cgi). It seems that all that
>> would be needed to crack test-cgi would be to pass some kind of escape or
>> break command to test-cgi in the %gobbledygook format. What would happen
>> if several delete commands were passed?
Here at least, test-cgi is a /bin/sh script that contains only "echo"
lines and one "/bin/env | /usr/ucb/fold -78".
Whatever you put into $# and $*, no sane /bin/sh will execute an external
program when evaluating the line:
echo argc is $#. argv is "$*".
so it seems to me that test-cgi is safe...
-Roger
--
e-mail: roger.espel.llima@ens.fr
WWW page & PGP key: http://www.eleves.ens.fr:8080/home/espel/index.html
