[3729] in bugtraq
Re: Vulnrability in test-cgi...
daemon@ATHENA.MIT.EDU (Joe Zbiciak)
Mon Dec 2 23:31:59 1996
X-Apparently-From: "Not Your Average Joe [tm]" <im14u2c@cegt201.bradley.edu>
X-Apparently-To: You@Wherever.You.Are
Date: Mon, 2 Dec 1996 20:43:15 -0600
Reply-To: Joe Zbiciak <im14u2c@cegt201.bradley.edu>
From: Joe Zbiciak <im14u2c@cegt201.bradley.edu>
X-To: jaltuve@ibm.net
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <199612022350.XAA61909@smtp-gw01.ny.us.ibm.net> from "Jesus
Altuve" at Dec 2, 96 07:45:58 pm
And then Jesus Altuve went and said something like this:
|
|Safe??? there's a way to inventory the files on a server using the TEST-CGI
|program! (on certain setups) here's the advisory L0pth released on April..
[...]
|On many web sites there exists a file called test-cgi (usually in
|the cgi-bin directory or somewhere similar). There is a problem
|with many of these test-cgi files. If your test-cgi file contains
|the following line (verbatim) then you are probably vulnerable.
|
|echo QUERY_STRING = $QUERY_STRING
|
|All of these lines should have the variables enclosed in loose
|quotes ("). Without these quotes certain special characters
|(specifically '*') get expanded where they shouldn't.
Perhaps a better fix is to disable "globbing" altogether, unless it's
absolutely required. Under bourne-derived shells, this is done with
set -f
Indeed, this closes up the hole for all of the non-quoted strings.
An even better fix: remove test-cgi. :-) Of course, that doesn't
work for the cases when you do use a shell script for some trivial
web task. Disabling shell globbing, except as-needed, is a good measure
in general for CGI scripts.
--Joe
--
:======= Joe Zbiciak =======:
:- - im14u2c@bradley.edu - -:
"Puritanism is the haunting fear that : - - - - - http: - - - - - :
someone, somewhere, might be happy." ://ee1.bradley.edu/~im14u2c/:
--H. L. Mencken :======= DISCLAIMER: =======:
:== You mean you actually ==:
:== listen to this stuff? ==:
(655:834 6:15)
