At least one exploitable application for throwing arbitrary characters into an HTTP request method is good old "test-cgi". The suggested (and from what I have seen on most systems, typical) fix for the origianl bug in this script was to put the "QUERY_STRING" variable in test-cgi in quotes to prevent its use for listing files. With mnemonix's post regarding the REQUEST METHOD's "feature", many users are re-exposed to the test-cgi problem, as the "REQUEST_METHOD" variable remains un-quoted in the following shell command: echo REQUEST_METHOD = $REQUEST_METHOD Instead of using "*" or a pathname followed by "*" as an argument to test-cgi as in: GET /cgi-bin/test-cgi?* HTTP/1.0 An attacker could use something like the following" * /cgi-bin/test-cgi HTTP/1.0 to see contents of /cgi-bin directory of web-root or /* /cgi-bin/test-cgi HTTP/1.0 to see contents of the system's root / or whatever absolute or relative path from the webserver's cgi-bin. This was tested on version 1.3b6 of Apache. The fix is to surround all of the variables in test-cgi (and any other variations of test-cgi, such as nph-test-cgi, that may be present) in quotes. If there is a moral to this story, it is yet another warning about cgi programming and scripting; Protect *any* data that can be supplied by the user from overflow and/or unwanted interpretation in your application including variables that may not necessarily be directly user-supplied. The original test-cgi advisory can be found in the bugtraq archives at http://www.geek-girl.com/bugtraq -Eric Monti
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:28:45 PDT