On Thu, Jan 14, 1999 at 09:35:33AM +0100, Peter van Dijk wrote: > On Wed, Jan 13, 1999 at 10:12:13AM -0600, monti wrote: > > At least one exploitable application for throwing arbitrary characters > > into an HTTP request method is good old "test-cgi". > > > > The suggested (and from what I have seen on most systems, typical) fix > > for the origianl bug in this script was to put the "QUERY_STRING" variable > > in test-cgi in quotes to prevent its use for listing files. > > > > With mnemonix's post regarding the REQUEST METHOD's "feature", many users > > are re-exposed to the test-cgi problem, as the "REQUEST_METHOD" variable > > remains un-quoted in the following shell command: > > > > echo REQUEST_METHOD = $REQUEST_METHOD > > > > Instead of using "*" or a pathname followed by "*" as an argument to > > test-cgi as in: > > > > GET /cgi-bin/test-cgi?* HTTP/1.0 > > > > An attacker could use something like the following" > > > > * /cgi-bin/test-cgi HTTP/1.0 > > to see contents of /cgi-bin directory of web-root > > A paper I wrote somewhere in 1997(!) notes that CONTENT_TYPE, CONTENT_LENGTH, > HTTP_ACCEPT, HTTP_REFERER, PATH_INFO, PATH_TRANSLATED, QUERY_STRING, > REQUEST_METHOD and SERVER_PROTOCOL are under control of the user. > > If you control your reverse and forward DNS, you could also theoretically > control REMOTE_HOST. To add to that: Putting /*/*/*/*/*/*/* (etc.) in 2 or 3 of these variables, requesting test-cgi about 20 times in a row and each time cancelling your request will drive the load on the server way up, making disk access slow. Greetz, Peter. -- <squeezer> AND I AM GONNA KILL MIKE | Peter van Dijk <squeezer> hardbeat, als je nog nuchter bent: | peterat_private <squeezer> @date = localtime(time); | realtime security d00d <squeezer> $date[5] += 2000 if ($date[5] < 37); | <squeezer> $date[5] += 1900 if ($date[5] < 99); | * blah *
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:28:54 PDT