Full Disclosure mailing list archives
ExploitLabs.com CGI Script Irony (was: Vote Today)
From: "mattmurphy () kc rr com" <mattmurphy () kc rr com>
Date: Thu, 12 Jun 2003 20:42:31 -0400
morning wood <se_cur_ity () hotmail com> wrote:
some famous white hat's letter to Full Disclosure.. -------------------- snippy ------------------------------------- Len: It is my belief that list members who repeatedly post ridicule that could not possibly be of any use for on-topic readers -- particularly those who post such things without any other contributions -- should at least have their right to post permanently stripped, if they are allowed to remain subscribers at all. It is also my belief that Donnie Werner's recent posts fit squarely into this catergory. Not only has Donnie Werner continued to waste the effort of list maintainers and subscribers with non-contributory e-mail, but he has also been extremely un-professional in the few cases where he has provided anything worth anyone's time. For this reason, sorting through Donnie Werner's junk mail is not worth my time, or the time wasted of anyone else on this list. It is with the highest regard for Full-Disclosure as a place of promise in the continuing evolution of information security, that I must urge the removal of Donnie Werner, as it is in the best interest of all on the list, and the future of the list itself. ---------------- end snippy --------------------------------------- Ladies and Gentleman... I am being systematicly blackballed, If I coment on one white hat, I get threats from two more..
My question is this: how does my letter to Len (which I also CC'ed to Donnie) constitute blackmail/threats? By CC'ing Donnie, I specifically gave him an opportunity to respond, and specifically attempted to be professional about this by responding off-list to his posts. Not only did he not respect that, he re-posted my private e-mail to you without my permission. Donnie has not only broken ethical standards here, you have broken laws. I did not write that message (or the portion of the message which you have displayed) to the list, only to Len Rose and Donnie's private account. Since he did not have the professionalism or maturity to contact me off-list with these issues, and then violated moral, ethical and legal standards by copying my attempts to the list, Donnie has crossed a line that should not be crossed. Not only was my message private, it also makes no attempt to blackmail Donnie as he so irresponsibly claims. For the benefit of the lists, my message to Donnie is attached as "msg-001.txt". I had contemplated releasing the messages Donnie wrote in response to the list, but have decided not to do so, so that I do not become a repeat of the very issue my complaint is about. If Donnie would choose to provide it (or allow me to do so), his responses to me off-list indicate a tone that is very contradictory to what he posts here. I made no threats against Donnie or the list, and I made what I considered my best assessment of the situation -- that the incredibly high level of noise on the otherwise unmoderated list, combined with lax administration would eventually cause the list to collapse. I made no threat to withhold information, or of my own plans to leave (I currently have none), so how could this possibly be considered a threat/blackmail attempt? P.S. - This message CC'ed to 0day () nothackers org -- Donnie Werner's "list of 0day's", which has also received an unauthorized copy of my e-mail. Worse, Donnie is a classic example of the flaws he claims to prevent. See the advisory below: ----- Filtering Flaws in ExploitLabs.com CGI Script Risk: High Impact: Critical: Execute commands of attacker's choice Exploit Difficulty: Minimal Systems Affected: ExploitLabs.Com Infinity Project (all versions) A security vulnerability has been identified in the "nph-exploitscanget.cgi" frontend of Donnie Werner's Infinity Scripts. By using a specially malformed URL query, it is possible to execute arbitrary commands as the user running the script. Solutions like suexec, file system limitation, and chroot may prevent successful compromise, but this vulnerability is severe in most instances. Donnie's script insecurely sanitizes the "host" URI parameter. Specifically, the script fails to block the UNIX backtick character: http://somesite.com/cgi-bin/nph-exploitscanget.cgi?host=`cat%20/etc/passwd`` cat%20/etc/shadow`&port=80&errchk=0&idsbypass=0 will reveal the username/password data dumped in an error message indicating a failed host ping. This requires httpd to be running as root, a dangerous practice. However, the ability to execute arbitrary commands allows for severe compromise in other areas. Also, the script does URL decoding after the command filter, appearantly: $host =~ tr/+/ /; $host =~ tr/\%/a/; $host =~ tr/\;/b/; $host =~ tr/</c/; $host =~ tr/>/d/; $host =~ tr/\|/e/; $host =~ tr/\&/f/; $host =~ tr/\^/g/; $host =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; So simple constructs such as: http://localhost/cgi-bin/nphexploitscanget.cgi?host=127.0.0.1%20%7ccat%20/et c/passwd%3b May also work. Note that "%7C" is a URL-encoded pipe character ("|"). Solution: Replace the previous script: $host =~ tr/+/ /; $host =~ tr/\%/a/; $host =~ tr/\;/b/; $host =~ tr/</c/; $host =~ tr/>/d/; $host =~ tr/\|/e/; $host =~ tr/\&/f/; $host =~ tr/\^/g/; $host =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; with: $host =~ tr/+/ /; + $host =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; + $host =~ tr/\`/h/; $host =~ tr/\%/a/; $host =~ tr/\;/b/; $host =~ tr/</c/; $host =~ tr/>/d/; $host =~ tr/\|/e/; $host =~ tr/\&/f/; $host =~ tr/\^/g/; - $host =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; Donnie Werner, you are a fraud -- you cannot even secure a basic Perl script. You don't use 'nslookup' to lookup a hostname, you use the simple function call known as gethostbyname() that is part of the Perl core. ----- -------------------------------------------------------------------- mail2web - Check your email from the web at http://mail2web.com/ . _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- ExploitLabs.com CGI Script Irony (was: Vote Today) mattmurphy () kc rr com (Jun 12)
- Re: [0day] ExploitLabs.com CGI Script Irony (was: Vote Today) morning_wood (Jun 12)
- Re: [0day] ExploitLabs.com CGI Script Irony (was: Vote Today) morning_wood (Jun 12)
- <Possible follow-ups>
- RE: ExploitLabs.com CGI Script Irony (was: Vote Today) Steve Manzuik (Jun 12)