[Previous] [Next] [Index]
[Thread]
Re: CGI Security Problem (fwd)
The author says he has fixed the problem, so it's a moot point. The risk
is to the server, not to the user.
Lincoln
>-----BEGIN PGP SIGNED MESSAGE-----
>
>Lincoln Stein wrote:
>>
>> I just got this note from a reader of the WWW Security FAQ. I haven't
>> confirmed the problems with CGITap yet, but you might want to watch
>> out for this script.
>>
>> Lincoln
>>
>> Forwarded message:
>> > From daemon Sat May 18 03:26:30 1996
>> > Message-Id: <m0uKgOx-0010btC@vista.hevanet.com>
>> > Comments: Authenticated sender is <maurice@mail.hevanet.com>
>> > From: "Maurice L. Marvin" <maurice@hevanet.com>
>> > To: lstein@genome.wi.mit.edu
>> > Date: Sat, 18 May 1996 00:14:08 -0700
>> > Subject: CGI Security Problem
>> > Reply-To: maurice@hevanet.com
>> > Priority: normal
>> > X-Mailer: Pegasus Mail for Windows (v2.23)
>> >
>> > Hello Lincoln. There is a CGI script
>> > named CGITap (http://scendtek.com/cgitap/), which
>> > I believe has a serious security problem.
>> >
>> > I have notified the author, but have not
>> > received a reply yet. I am notifying you because
>> > of the potentially wide-spread distribution of this
>> > program (it is referenced in the May edition of
>> > WebSmith, page 45).
>> >
>> > The program does not remove or escape
>> > metacharacters from the user supplied data prior to
>> > being passed to the shell, and as such, I've been able
>> > to execute several arbitrary commands.
>> >
>> > Best Regards,
>> >
>> > Maurice L. Marvin <maurice@hevanet.com>
>> >
>
>I know this is going to sound obvious but here goes: Is it safe
>to hit the above site to see what it does, or was your warning
>indicating that one should *not* hit it unless of course you're a
>security guru interested in studying the problem. I thought about
>hitting the site http://scendtek.com/cgitap/ but it occurred to me
>this *might not be* a ``demo'' but in fact the live macoy, and as
>such I'm concerned about any trouble penetrating our firewall.
>Sorry if I misunderstood your post and this question sounds
>redundant, won't hit it pending your reply. Thanks.
>
>Gene
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.2
>
>iQCVAwUBMaCsuM4N33uf66GRAQHZbwP+LkOEI6PfHi8C1oKDPZ8+iSSPvcGvwGGQ
>I8sJAMYquNz6rPrm0pLCiwEbMwWiLBgiom5PKHHqWzz/+T/qb1KTsRgRr6FWaLN3
>gIT8inOAkRTK3n7Sv1w9PSqoS22bqz9PSq2q6V/dWJQIXFmhaBc9GaDhRLckKNr3
>4tw/1wL7088=
>=rjYJ
>-----END PGP SIGNATURE-----
>
>--
>``Imagine if every Thursday your shoes exploded if you tied them
> the usual way. This happens to us all the time with computers,
> and nobody thinks of complaining.'' -Jeff Raskin
>
> ______ gene@cup.hp.com
> /\__ _\ ingram@pubs.holosys.com
> \/_/\ \/ ___ __ _ __ __ ___ ___
> \ \ \ /' _ `\ /'_ `\/\`'__\/'__`\ /' __` __`\
> \_\ \__/\ \/\ \/\ \L\ \ \ \//\ \L\.\_/\ \/\ \/\ \
> /\_____\ \_\ \_\ \____ \ \_\\ \__/.\_\ \_\ \_\ \_\
> \/_____/\/_/\/_/\/___L\ \/_/ \/__/\/_/\/_/\/_/\/_/
> /\____/
>________________________\_/__/____________________________________
>PGP UserID: "Gene Ingram <gene@cup.hp.com>"
>Key Size: 1024 bits; Creation date: 21 March 1996; KeyID: 9FEBA191
>Key fingerprint: 93 E1 15 E6 35 BC B2 84 B2 7B 39 76 29 72 32 72
>
>--3D signature created courtesy of ``Figlet Ascii Font Converter''
> <http://mediacube.datacom.de/cgi-bin/moniteurs/figlet>
========================================================================
Lincoln Stein, M.D.,Ph.D. lstein@genome.wi.mit.edu
Director: Informatics Core
MIT Genome Center (617) 252-1916
Whitehead Institute for Biomedical Research (617) 252-1902 FAX
One Kendall Square
Cambridge, MA 02139
================ http://www-genome.wi.mit.edu/~lstein ===================