[9078] in bugtraq
Re: test-cgi - Re: HTTP REQUEST METHOD flaw
daemon@ATHENA.MIT.EDU (Peter van Dijk)
Fri Jan 15 14:30:03 1999
Mail-Followup-To: BUGTRAQ@NETSPACE.ORG
Date: Fri, 15 Jan 1999 14:26:32 +0100
Reply-To: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
From: Peter van Dijk <peter@ATTIC.VUURWERK.NL>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19990114093533.L7568@attic.vuurwerk.nl>; from Peter van Dijk on
Thu, Jan 14, 1999 at 09:35:33AM +0100
On Thu, Jan 14, 1999 at 09:35:33AM +0100, Peter van Dijk wrote:
> On Wed, Jan 13, 1999 at 10:12:13AM -0600, monti wrote:
> > At least one exploitable application for throwing arbitrary characters
> > into an HTTP request method is good old "test-cgi".
> >
> > The suggested (and from what I have seen on most systems, typical) fix
> > for the origianl bug in this script was to put the "QUERY_STRING" variable
> > in test-cgi in quotes to prevent its use for listing files.
> >
> > With mnemonix's post regarding the REQUEST METHOD's "feature", many users
> > are re-exposed to the test-cgi problem, as the "REQUEST_METHOD" variable
> > remains un-quoted in the following shell command:
> >
> > echo REQUEST_METHOD = $REQUEST_METHOD
> >
> > Instead of using "*" or a pathname followed by "*" as an argument to
> > test-cgi as in:
> >
> > GET /cgi-bin/test-cgi?* HTTP/1.0
> >
> > An attacker could use something like the following"
> >
> > * /cgi-bin/test-cgi HTTP/1.0
> > to see contents of /cgi-bin directory of web-root
>
> A paper I wrote somewhere in 1997(!) notes that CONTENT_TYPE, CONTENT_LENGTH,
> HTTP_ACCEPT, HTTP_REFERER, PATH_INFO, PATH_TRANSLATED, QUERY_STRING,
> REQUEST_METHOD and SERVER_PROTOCOL are under control of the user.
>
> If you control your reverse and forward DNS, you could also theoretically
> control REMOTE_HOST.
To add to that: Putting /*/*/*/*/*/*/* (etc.) in 2 or 3 of these variables,
requesting test-cgi about 20 times in a row and each time cancelling your
request will drive the load on the server way up, making disk access slow.
Greetz, Peter.
--
<squeezer> AND I AM GONNA KILL MIKE | Peter van Dijk
<squeezer> hardbeat, als je nog nuchter bent: | peter@attic.vuurwerk.nl
<squeezer> @date = localtime(time); | realtime security d00d
<squeezer> $date[5] += 2000 if ($date[5] < 37); |
<squeezer> $date[5] += 1900 if ($date[5] < 99); | * blah *
