More Alibaba Web Server problems...

[kerb () FNUSA COM (Kerb)]

Hello BugTraq'ers.  I've yet to get around to writing the exploit for
Alibaba that was previously described, but I have found new
bugs.  Using specially formed URL's, I was able to list,
view, create, delete, and/or execute any file I wanted.
Here are a few examples:

http://www.victim.com/cgi-bin/get32.exe|echo%20>c:\command.com
allowed me to overwrite the command.com file.  No explanation
necessary there.  Also, I was able to echo machine code bytes into
a file, so the possiblity of a trojan enters the picture.  If they had FTP
running, I guess it wouldnt be much more than a trivial task to write
a URL that copies the trojan binary into the CGI directory and point
your browser at the trojan to execute it.  Or even easier, just create
a URL that will write the binary data of the trojan into an EXE right
in the CGI directory.

http://www.victim.com/cgi-bin/alibaba.pl|dir
allowed me to have a directory listing of all files in CWD, which happens to be
the CGI
directory.  This could be useful for a couple things.  One, finding out the
full path to
the CGI directory, for using exploits such as the one listed before this one.
 Another
would be to find files for overwriting (using the > operator) or executing.
 Another
possible use would be to list all *.pwl in the windows directory.

http://www.victim.com/cgi-bin/tst.bat|type%20c:\windows\win.ini
This URL allowed me to view the entire contents of the c:\windows\win.ini file.
No explanation necessary there.

I chose those 3 CGI's (out of the 15 that came with my install) because they
are of different types; an EXE, a PL, and a BAT.  Basically the examples I
used above are just ideas of what CAN be done.

BTW, I didnt bother to notify Alibaba, as this "is freeware"
so they "don't offer any support" as I believe it was worded.

-Kerb-