Bugtraq mailing list archives
BigIP - bigconf.cgi holes
From: guy () CRYPTO ORG IL (Guy Cohen)
Date: Sun, 13 Jun 1999 22:18:20 +0300
Hello, For those of you who don't know what is BigIP, it is a software developed by F5 labs to handle incoming traffic and redirect it to a server with in a group of servers. It is installed on BSDI system (maybe other too). Once it is has been installed you can configure it either by using a command line or by using the html interface (http server comes with the software). The html interface basicly operates one program, bigconf.cgi, witch is installed suid root. I have not spend much time learning how to exploit this program, but from the bits I did, I was able to look at _any_ file on the system simply by giving it's name to the cgi program (with appropriate parameters of course). The risk here is not from the outside, as the http server is protected by a password, but from internal users. Less risk, but still ... F5 has been notifyed. -- Guy Cohen.
Current thread:
- Patch for VirusWall 3.23., (continued)
- Patch for VirusWall 3.23. dark spyrit (Nov 07)
- Netscape Web Publisher Tim Jones (Nov 06)
- Re: Netscape Web Publisher Mnemonix (Nov 07)
- Re: Netscape Web Publisher nblasgen () NICK REFRACT COM (Nov 07)
- vwxploit.c unix port Sebastian (Nov 08)
- Windows NT Spooler Service. Avri Schneider (Nov 07)
- [w00giving '99 #2] IMAIL POP server Shok (Nov 07)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Blue Boar (Nov 07)
- Re: Guestbook.pl, sloppy SSI handling in Apache? (VD#2) Jefferson Ogata (Nov 08)
- MS Outlook alert : Cuartango Active Setup Elias Levy (Nov 08)
- BigIP - bigconf.cgi holes Guy Cohen (Jun 13)
- Re: MS Outlook alert : Cuartango Active Setup David LeBlanc (Nov 08)
- Re: MS Outlook alert : Cuartango Active Setup - Workaround Instructions Mark (Nov 08)
- Insecure handling of NetSol maintainer passwords jlewis () LEWIS ORG (Nov 08)
- flaw in dmesg under Solaris echo8 (Nov 09)
- Re: Insecure handling of NetSol maintainer passwords Jefferson Ogata (Nov 09)
- Re: Insecure handling of NetSol maintainer passwords pedward () WEBCOM COM (Nov 10)
- Re: Insecure handling of NetSol maintainer passwords Trevor Schroeder (Nov 10)
- networksolutions CRYPT-PW salt (was: Re: Insecure handling of NetSol maintainer passwords) Jefferson Ogata (Nov 10)
- [Cobalt] Security Advisory - cgiwrap Jeff Bilicki (Nov 09)
- Re: MS Outlook alert : Cuartango Active Setup - Workaround Instructions Andy Helsby (Nov 09)