I also want to know, if the firewall has ICMP open in/out (it means that you can ping an internal host by conduit in firewall - NAT) if there is a way bypass by something to web server, could be Unicode bug, Transversal bug etc... I have seen firewalls on internet and they allow ping inside the network. Thank you. Ondrej "John Thornton" <news@hackersdige To: <vuln-devat_private> st.com> cc: Subject: 72% of web base ping scripts allows attackers to pass malicious parameters 06/01/2002 12:37 AM I started to look into web sites that allows anyone to ping a host via web. I wanted to see if any of these scripts would allow me to execute a '|' so I could run commands of my choice on their server. Almost all of them pass this test however I was shocked to see how many allowed me to pass parameters to the ping program itself. Doing a search on google for 'ping.asp' ( For some reason url:ping.asp yields no results ) I started to go down the list and would test each script by putting '127.0.0.1 -l' for a host. If the script returned 'Value must be supplied for option -l.' I know that anyone could use this server for a DDOS attack. For example 'victim.com -l 65500 -t' would send very large icmp packets to the victim until the Network Administrator notice that his server was ping flooding someone. Of all the scripts tested a very frightening 72% allow me to pass parameters that would allow anyone to use it for a DDOS. Most of the servers that host these scripts are isp's and universities that are sitting on large pipes to the internet. The real threat is that there is no vender to alert. Most of these scripts are custom developed. I have informed the administrators of the vulnerable scripts that I have found but there are thousands out there. -John Thornton Editor in Chief Hacker's Digest Magazine http://www.hackersdigest.com
This archive was generated by hypermail 2b30 : Mon Jun 03 2002 - 09:21:08 PDT