/cgi-bin/handler is a small perl program that allows (in theory) 
to read and download files under the system's root directory.
In fact it allows you to execute any command remotely
on the target machine.

Here's how it works:
"handler" reads PATH_INFO from the environment and then concatenates it
with a default "root directory" (let's say /var/www/htdocs). It then runs
a "validity check" on the result. But it only checks for ".." not for
other potential offensive special chars.
It then uses "open (INPUT, $doc)" where $doc is the result of the
concatenation.
If you're familiar with PERL you know that if a '|' character follows the
filename, perl will treat that filename as a command. It runs it and gives
you STDOUT.
The way to exploit this "feature" for cgi-bin/handler is:

telnet target.machine.com 80
GET /cgi-bin/handler/useless_shit;cat   /etc/passwd|?data=Download
HTTP/1.0

Note that you have to use a TAB character after cat, not a space because
the shell will accept it as a separator and it won't confuse the HTTP
server. You can't use the %xx format (%20) because the script doesn't do
any parsing (So you will not be able to give command that contain spaces).

Of course, you can use any other command instead of "cat" but remember NOT
to use spaces, just tabs.

The server will display an error saying that it couldn't open
"useless_shit" but it will continue anyway and execute your command.

I tested it on two Indy machines with IRIX 6.2.

And also, I think this kind of approach makes cgi-bin's written in perl
more vulnerable. That is any script that does not strip special
characters (not only dots, but also | and ; ) and uses "open" commands on
files read from user input can be attacked. Most of the cgi-bin's I've
seen do only a rudimentary check for "double-dots" and then declare the
URL "sane".


==========================================================================


I have had reports that my exploit for SGI's /cgi-bin/handler does not
work on IRIX 6.3 (on O2).  I analyzed the code provided with IRIX
6.3 and they tried to fix it, but they actually DID NOT.

They added a new line to the script:

$doc=~s/\|*$// (in plain English, this means "remove any number of '|'s at
end-of-string"). But guess what. It works just as fine if you put another
TAB character after the "pipe" (so that the "pipe" is not at
end-of-string, the TAB is).

The exploit should read

telnet target.machine.com 80
GET /cgi-bin/handler/whatever;cat       /etc/passwd|    ?data=Download
HTTP/1.0

It tricks the script into executing the command anyway.
Now, for those of you who want to patch it somehow, here's the best
solution that has been posted to me (all credits for it go to Wolfram
Schneider <wosch@apfel.de>)

All "open" commands should check if the their argument is really a
filename. You could use:

-f $doc && open (INPUT, $doc)

(Same thing as: if (-f $doc) {open (INPUT, $doc) } , the one written
above is more PERL style)

So far, IRIX versions 5.3, 6.2, and now 6.3 are vulnerable.


===========================================================================


If you have untrusted local users who can install their own cgi-bin
stuff (I know of at least one large site that is in this situation),
this isn't enough.  /cgi-bin/handler/whatever;cat\t/etc/passwd\|\t may
well exist, and open() will _still_ take it as a pipe.


===========================================================================


IRIX 6.4 is also vulnerable to this exploit.


===========================================================================