Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Python CGI interpreter phys.path vuln on Win32 ?
From: Marco van Zanten <marco.van.zanten () cgey nl>
Date: Wed, 24 Oct 2001 10:34:30 +0200

Kristian,

Maybe you can try to write your own cgi script in which you use the python
interpreter of the server
, you know the exact path now.
Link this to a local html page and execucte your code on the remote machine.

Good luck,
Marco


Kristian Franzen wrote:

Mailer: SecurityFocus

All,

I'm currently pen-testing a clients web-application
running on IIS 4 & 5. They have implemented the
logic in their website using CGI scripts written in
Python.

When addressing a non-existent CGI script in the /cgi-
bin folder (or other executable folders that contain
CGI's) the webserver reveals the physical path of
both the Python interpreter as well as the non-
existent cgi-script.

The output looks somewhat like:

<c:\program files\python\python.exe: can't open
file 'c:\inetpub\wwwroot\cgi-bin\fakefile.cgi'>

Has anyone experienced this,and has anyone figured
out which versions of the Python interpreter that are
vulnerable to this ?

In addition, with some playing around with other
characters in the URL preceeding the fake cgi,
like /cgi-bin/""test&20fakefile.cgi, the resulting output
turns:

<c:\program files\python\python.exe: can't open
file 'c:\inetpub\wwwroot\cgi-bin\test'>

Interesting... (could this be exploited furhter, to have
the interpreter execute other stuff ?)

I've harvetsted various newsgroups for references to
these issues, though without success.

Any help or input greately appreciated.

Cheers,

Kristian
kristian.franzen () trs mine nu

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Attachment: marco.van.zanten.vcf
Description: Card for Marco van Zanten

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault