Bugtraq mailing list archives
IRIX 6.x /cgi-bin/wrap bug
From: spd () GTC1 CPS UNIZAR ES (J.A. Gutierrez)
Date: Sun, 20 Apr 1997 01:18:32 +0200
Hi
Here is a funny one: WWW HTTP/1.0 Server, as shipped with
IRIX 6.2 (at least in low end machines) includes a perl
script (wrap) which allows anyone on the net to get a
listing for any directory with mode +755.
Simply use
http://sgi.victim/cgi-bin/wrap?/../../../../../etc
(for instance)
There is a nice interface to this bug at
http://persephone.cps.unizar.es/~spd/pub/ls.cgi
If you are running this server, here is a fix
*** /var/www/cgi-bin/wrap Sat Apr 19 23:08:03 1997
--- /var/www/cgi-bin/wrap.O Sat Apr 19 23:07:44 1997
***************
*** 66,74 ****
$doc = $ROOT.$PATH ;
&DefaultMesg if ! defined $PATH || $PATH eq "" ; # Get a base listing =)
-
- $_ = $PATH;
-
&ErrBadPath unless &ValidPath ; # Check for server spoofing
&ErrBadPath unless -e $doc ; # Check to see it exists
&HandleDownload if -f $doc ; # Do the right thing
--- 66,71 ----
(i don't know too much about perl, maybe you can do it better)
--
.signature intentionally left blank
Current thread:
- Sendmail Vulnerability. Alan Brown (Apr 14)
- TcpWrappers and Sendmail Neil Harkins (Apr 15)
- Handy change I made in ltread.c Nathan D. Faber (Apr 15)
- NIS+ and signed directory objects Sun Security Coordination (Apr 15)
- Update on PHP/FI hole Shamanski (Apr 16)
- Buffer overflow in sperl5.003 Murphy (Apr 17)
- Re: Buffer overflow in sperl5.003 David Luyer (Apr 17)
- Re: Buffer overflow in sperl5.003 Jon Lewis (Apr 19)
- [NTSEC] ALERT - NT security flaw announcement Aleph One (Apr 18)
- Beta testers wanted for new security tool! Alfred Huger (Apr 18)
- IRIX 6.x /cgi-bin/wrap bug J.A. Gutierrez (Apr 19)
- Re: Buffer overflow in sperl5.003 David Luyer (Apr 17)
- PHP/FI command line buffer overflow David Sacerdote (Apr 17)
- Sun Security Bulletin #00138 Aleph One (Apr 17)