Bugtraq mailing list archives
Vulnrability in test-cgi...
From: apropos () sover net (Apropos of Nothing)
Date: Sat, 30 Nov 1996 13:46:42 -0500
If you query test-cgi with http://server.com/cgi-bin/test-cgi?* Test-cgi pads the '*' with a '\' mark. Thus, the first line returned is: argc is 1. argv is \* And if you were to query with http://server.com/cgi-bin/test-cgi?/* The response would be: argc is 1. argv is \/* Interestingly enough, however, if query with http://server.com/cgi-bin/test-cgi?%0A/*, the result is: argc is 1. argv is \/* Although it should be: argc is 1. argv is \%0A/* You'll notice that the %0A (line break) command is executed BEFORE the characters are padded. In this way any command can be passed to test-cgi's first result field, and executed (within the cgi). It seems that all that would be needed to crack test-cgi would be to pass some kind of escape or break command to test-cgi in the %gobbledygook format. What would happen if several delete commands were passed? I'd be interested to know what some of you can do with this. apropos of nothing
Current thread:
- Vulnrability in test-cgi... Apropos of Nothing (Nov 30)
- denial of service attack on login NuNO (Dec 01)
- Re: Vulnrability in test-cgi... Roger Espel Llima (Dec 01)
- Little feature/bug in RedHat Linux Antti Andreimann (Dec 01)
- Users can modify routing in AIX 4.1 Dave Roberts (Dec 02)
- Re: Users can modify routing in AIX 4.1 Troy Bollinger (Dec 02)
- <Possible follow-ups>
- Re: Vulnrability in test-cgi... Jesus Altuve (Dec 02)
- Re: Vulnrability in test-cgi... Joe Zbiciak (Dec 02)
- /bin/ksh sparc code Kichang Yang (Dec 03)
- AltaVista Firewall for UNIX Sarah Keating (Dec 03)