Wrong guy

• To: "'WWW Security'" <www-security@ns2.rutgers.edu>
• Subject: Wrong guy
• From: Brian Friday <bfriday@datamax.com>
• Date: Tue, 20 Feb 96 13:07:00 EST

Same name...different guy.
Just thought you might want to know.

_________________________________________________
Brian,

Much thanks for your update.  I'll update the FAQ right now so as to
spread the misery around.  It was indeed fun to execute DOS commands
on O'Reilly's server.

I'm also Cc:'ing this to the Web managers and security lists so that
they are apprised of the hole in the Website and Netscape servers.

I don't have access to the Netscape Commerce Server.  Am I right in
thinking that this problem plagues that software as well?

Thanks,

Lincoln

Brian Kendig writes:
 > The serious Netscape security hole which is described in the WWW Security
 > FAQ ("http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.htm") also
 > exists in the O'Reilly Website web server.
 >
 > Here is a description of the security hole, from the FAQ:
 >
 > >Redfern Ian redferni@logica.com) has discovered that a similar hole
exists in
 > >the processing of CGI scripts implemented as .bat files. The following 
is
an
 > >excerpt from Redfern's mail:
 > >
 > >  Consider test.bat:
 > >  @echo off
 > >  echo Content-type: text/plain
 > >  echo
 > >  echo Hello World!
 > >
 > >  If this is called as "/cgi-bin/test.bat?&dir" you get the output
 > >  of the CGI program, followed by a directory listing.
 > >
 > >  It appears that the server is doing system("test.bat &dir") which
 > >  the command interpreter is handling (not unreasonably) in the
 > >  same way /bin/sh would - execute it, and if things go OK,
 > >  execute the dir command.
 > >
 > >At this time, I know of no workaround for this problem.
 >
 > Here is an example of two URL's on O'Reilly's web site which also
 > demonstrate the problem:
 >
 >     http://website.ora.com/cgi-dos/browser.cmd?&dir
 >     http://website.ora.com/cgi-dos/args.cmd?&dir
 >
 > I am writing to let O'Reilly know about this so they can fix it, and to 
let
 > the WWW Security FAQ maintaner know about this so he can update the FAQ 
to
 > let people know that Netscape is not the only company who has been bitten
 > by this problem.  :-)
 >
 >
 >    __   __
 >   |  \ |  |    Brian Kendig, Mad Scientist                       /
 >   |   \|  |    Netscape Communications Corporation           /  *
 >   |  |\   |    brian@netscape.com                           *        /
 >   |__| \__|    Check out our support pages!                         *
 >                http://home.netscape.com/assist/support/
 >
 >
 >

• Previous: WWW Security
• Next: Re: JavaScript to grab email (fwd)
• Index(es):
  • Index
  • Thread