[4304] in bugtraq
IRIX 6.x /cgi-bin/wrap bug
daemon@ATHENA.MIT.EDU (J.A. Gutierrez)
Sat Apr 19 22:21:24 1997
Date: Sun, 20 Apr 1997 01:18:32 +0200
Reply-To: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
From: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
To: BUGTRAQ@NETSPACE.ORG
Hi
Here is a funny one: WWW HTTP/1.0 Server, as shipped with
IRIX 6.2 (at least in low end machines) includes a perl
script (wrap) which allows anyone on the net to get a
listing for any directory with mode +755.
Simply use
http://sgi.victim/cgi-bin/wrap?/../../../../../etc
(for instance)
There is a nice interface to this bug at
http://persephone.cps.unizar.es/~spd/pub/ls.cgi
If you are running this server, here is a fix
*** /var/www/cgi-bin/wrap Sat Apr 19 23:08:03 1997
--- /var/www/cgi-bin/wrap.O Sat Apr 19 23:07:44 1997
***************
*** 66,74 ****
$doc = $ROOT.$PATH ;
&DefaultMesg if ! defined $PATH || $PATH eq "" ; # Get a base listing =)
-
- $_ = $PATH;
-
&ErrBadPath unless &ValidPath ; # Check for server spoofing
&ErrBadPath unless -e $doc ; # Check to see it exists
&HandleDownload if -f $doc ; # Do the right thing
--- 66,71 ----
(i don't know too much about perl, maybe you can do it better)
--
.signature intentionally left blank
