Am i missing something, or is there no vendor information listed in this? Who wrote processit.pl, and what package is it a part of? On Sun, 15 Apr 2001, UkR hacking team wrote: > Name: Environment and Setup Variables can be Viewed through processit.pl CGI script > Author: UkR-XblP /UkR security team:www.ukrteam.ru /GiN group:www.secure.f2s.com > Problems:The script allows several environment variables to be viewed by the attacker, who can gain useful information on the site, making further attacks more feasible > Analysis:processit.pl dumps useful information (e.g. script location, SERVER_SOFTWARE, DOCUMENT_ROOT, etc.) to the browser when the requested file provided is incorrect or when request without parametrs. > Exploits: If site does not contain a incorrect file, thus the following URL displays the environment dump. However, a similar url, when applied within the necessary modifications to an unprotected site would yield the desired result: > http://www.victim.org/cgi-bin/processit.pl?FORMNAME=UkR > or > http://www.victim.org/cgi-bin/processit.pl >
This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 12:42:42 PDT