Bugtraq mailing list archives

Vulnrability in test-cgi...

From: apropos () sover net (Apropos of Nothing)
Date: Sat, 30 Nov 1996 13:46:42 -0500


If you query test-cgi with http://server.com/cgi-bin/test-cgi?*

Test-cgi pads the '*' with a '\' mark.  Thus, the first line returned is:

argc is 1. argv is \*

 And if you were to query with http://server.com/cgi-bin/test-cgi?/*  The
response would be:

argc is 1. argv is \/*

Interestingly enough, however, if query with
http://server.com/cgi-bin/test-cgi?%0A/*, the result is:

argc is 1. argv is
 \/*

Although it should be:
argc is 1. argv is \%0A/*

You'll notice that the %0A (line break) command is executed BEFORE the
characters are padded.  In this way any command can be passed to test-cgi's
first result field, and executed (within the cgi).  It seems that all that
would be needed to crack test-cgi would be to pass some kind of escape or
break command to test-cgi in the %gobbledygook format.  What would happen
if several delete commands were passed?

I'd be interested to know what some of you can do with this.

apropos of nothing

Current thread:

Vulnrability in test-cgi... Apropos of Nothing (Nov 30)
- denial of service attack on login NuNO (Dec 01)
- Re: Vulnrability in test-cgi... Roger Espel Llima (Dec 01)
- Little feature/bug in RedHat Linux Antti Andreimann (Dec 01)
- Users can modify routing in AIX 4.1 Dave Roberts (Dec 02)
  - Re: Users can modify routing in AIX 4.1 Troy Bollinger (Dec 02)
- <Possible follow-ups>
- Re: Vulnrability in test-cgi... Jesus Altuve (Dec 02)
  - Re: Vulnrability in test-cgi... Joe Zbiciak (Dec 02)
  - /bin/ksh sparc code Kichang Yang (Dec 03)
  - AltaVista Firewall for UNIX Sarah Keating (Dec 03)