[2070] in bugtraq
SECURITY HOLE: "Guestbook"
daemon@ATHENA.MIT.EDU (Paul Phillips)
Thu Aug 3 12:44:32 1995
Followup-To: comp.infosystems.www.authoring.cgi
Date: Wed, 2 Aug 1995 22:04:32 -0700
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Paul Phillips <paulp@CERF.NET>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
The version of "Guestbook" available at
<URL:http://alpha.pr1.k12.co.us/~mattw/scripts/guestbook.html>
allows execution of arbitrary commands under the server UID.
If this sounds familiar, it should: it's the third security
hole of this nature I've found in two days. I'm posting this one
more widely in the hope that it will inspire people to be more
careful when writing CGI scripts for public consumption, and because
this one is in very wide use.
It's the same old story -- forks a shell and sends off user
supplied form data without checking it at all. In my probes
I'm also finding sites running their webservers as root...
BAD BAD. DON'T DO THIS.
Followups to comp.infosystems.www.authoring.cgi, please.
--
Paul Phillips | "Click _here_ if you do not
<URL:mailto:paulp@cerf.net> | have a graphical browser"
<URL:http://www.primus.com/staff/paulp/> | -- Canter and Siegel, on
<URL:pots://+1-619-220-0850/is/paul/there?> | their short-lived web site
