Bugtraq mailing list archives
IRIX 6.x /cgi-bin/wrap bug
From: spd () GTC1 CPS UNIZAR ES (J.A. Gutierrez)
Date: Sun, 20 Apr 1997 01:18:32 +0200
Hi Here is a funny one: WWW HTTP/1.0 Server, as shipped with IRIX 6.2 (at least in low end machines) includes a perl script (wrap) which allows anyone on the net to get a listing for any directory with mode +755. Simply use http://sgi.victim/cgi-bin/wrap?/../../../../../etc (for instance) There is a nice interface to this bug at http://persephone.cps.unizar.es/~spd/pub/ls.cgi If you are running this server, here is a fix *** /var/www/cgi-bin/wrap Sat Apr 19 23:08:03 1997 --- /var/www/cgi-bin/wrap.O Sat Apr 19 23:07:44 1997 *************** *** 66,74 **** $doc = $ROOT.$PATH ; &DefaultMesg if ! defined $PATH || $PATH eq "" ; # Get a base listing =) - - $_ = $PATH; - &ErrBadPath unless &ValidPath ; # Check for server spoofing &ErrBadPath unless -e $doc ; # Check to see it exists &HandleDownload if -f $doc ; # Do the right thing --- 66,71 ---- (i don't know too much about perl, maybe you can do it better) -- .signature intentionally left blank
Current thread:
- Sendmail Vulnerability. Alan Brown (Apr 14)
- TcpWrappers and Sendmail Neil Harkins (Apr 15)
- Handy change I made in ltread.c Nathan D. Faber (Apr 15)
- NIS+ and signed directory objects Sun Security Coordination (Apr 15)
- Update on PHP/FI hole Shamanski (Apr 16)
- Buffer overflow in sperl5.003 Murphy (Apr 17)
- Re: Buffer overflow in sperl5.003 David Luyer (Apr 17)
- Re: Buffer overflow in sperl5.003 Jon Lewis (Apr 19)
- [NTSEC] ALERT - NT security flaw announcement Aleph One (Apr 18)
- Beta testers wanted for new security tool! Alfred Huger (Apr 18)
- IRIX 6.x /cgi-bin/wrap bug J.A. Gutierrez (Apr 19)
- Re: Buffer overflow in sperl5.003 David Luyer (Apr 17)
- PHP/FI command line buffer overflow David Sacerdote (Apr 17)
- Sun Security Bulletin #00138 Aleph One (Apr 17)