Nmap logo

Irix pfdispaly CGI hole

Description:Standard .. read-any-file CGI exploit.
Author:"J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Compromise:Read any file (remotely) that user nobody (or whatever web server runs as) can read.
Vulnerable Systems:IRIX 6.2 with performer_tools.sw.webtools (Performer API Search Tool 2.2) installed, check for /var/www/cgi-bin/pfdispaly.cgi.
Date:17 March 1998

Date: Tue, 17 Mar 1998 00:06:48 +0100
From: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Subject: IRIX performer_tools bug

    Do you remember the /cgi-bin/handler bug?

    Well, more of the same:

    IRIX 6.2
    performer_tools.sw.webtools (Performer API Search Tool 2.2)

    Bug: Anyone can read files (as 'nobody') from your system:


    lynx -source \

    for instance :-)


*** pfdispaly.cgi.O     Mon Mar 16 23:13:34 1998
--- pfdispaly.cgi       Mon Mar 16 23:36:29 1998
*** 14,19 ****
--- 14,20 ----
  $fullcgiroot = "/var/www$cgiroot";

  $shortfilepath = "$ARGV[0]";
+ $shortfilepath =~ s/\.{2,}//g;
  $fullfilepath = "$maindocroot$shortfilepath";
  ($filename = $shortfilepath) =~ s/.*\/(.*)$/$1/;

    Note: I haven't tested the other Performer CGI's too much,
    maybe they will have more nasty bugs.
    (in fact, pfdispaly.cgi opens "$ARGV[0]" with "$maindocroot"
    prepended; but somewhere 'dangerous' characters are escaped)

    There is another bug at pfsearch.cgi; which lacks of
    print "Content-type: text/html\n\n";
    line, so you get garbage in your browser.

    (and even worse, you have to enable JavaScript if you want
    to use this set of CGIs...)

    J.A. Gutierrez                                   So be easy and free
                                            when you're drinking with me
                                      I'm a man you don't meet every day
 finger me for PGP                                          (the pogues)

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]