[4020] in bugtraq
view-source
daemon@ATHENA.MIT.EDU (myst)
Sun Feb 9 00:08:10 1997
Date: Sat, 8 Feb 1997 19:49:28 -0500
Reply-To: myst <myst@LIGHT-HOUSE.NET>
From: myst <myst@LIGHT-HOUSE.NET>
To: BUGTRAQ@netspace.org
---------- Forwarded message from PLaGuEZ ----------
Date: Sat, 1 Jan 1994 04:01:53 +0100
From: PLaGuEZ <dube0866@eurobretagne.fr>
To: myst@light-house.net
Hi.
I've just found a pretty ugly hole in view-source cgi-shell script.
This script, which can be found on some httpd distributions and
in SCO Skunkware cdroms, is designed to display a given document
located in $DOCUMENT_ROOT/$1 (where $DOCUMENT_ROOT is an
environment variable set by the server).
Unhopefully view-source does not properly check the arguments.
It is therefore possible to display any file on systems where
view-source is world executable by sending something like
'http://www.server.com/cgi-bin/view-source?../../../../../../../etc/passwd'
Obviously this kind of so-called cgi has nothing to do in
your cgi-bin directory... Maybe a day cgi will be secure ;)
Fix:
rm -rf view-source
_better_: rm -rf cgi-bin/*
laters,
PLaGuEZ
-----------------------------------------------------
- PLaGuEZ dube0866@eurobretagne.fr -
- http://home.virtual-pc.com/spartan/plaguez -
-----------------------------------------------------
