72% of web base ping scripts allows attackers to pass malicious parameters

["John Thornton" <news () hackersdigest com>]

I started to look into web sites that allows anyone to ping a host via web.
I wanted to see if any of these scripts would allow me to execute a '|' so I
could run commands of my choice on their server. Almost all of them pass
this test however I was shocked to see how many allowed me to pass
parameters to the ping program itself.

Doing a search on google for 'ping.asp' ( For some reason url:ping.asp
yields no results ) I started to go down the list and would test each script
by putting '127.0.0.1 -l' for a host. If the script returned 'Value must be
supplied for option -l.' I know that anyone could use this server for a DDOS
attack. For example 'victim.com -l 65500 -t' would send very large icmp
packets to the victim until the Network Administrator notice that his server
was ping flooding someone.

Of all the scripts tested a very frightening 72% allow me to pass parameters
that would allow anyone to use it for a DDOS. Most of the servers that host
these scripts are isp's and universities that are sitting on large pipes to
the internet. The real threat is that there is no vender to alert. Most of
these scripts are custom developed. I have informed the administrators of
the vulnerable scripts that I have found but there are thousands out there.

-John Thornton
Editor in Chief
Hacker's Digest Magazine
http://www.hackersdigest.com