Novell httpd convert.bas cgi hole

Summary
Description:Another '..' bug, this time by Novell
Author:TTT Group <ttt@broder.com&rt;
Compromise:read any file on server
Vulnerable Systems:systems running vulnerable versions of Novell's httpd
Date:3 July 1996
Details

Exploit:

Date: Wed, 3 Jul 1996 14:50:06 -0700 (PDT)
From: TTT Group 
To: firewalls@GreatCircle.COM
Subject: *** SECURITY ALERT ***

I spent some time exploring Novell's HTTP server and out of the box
there is a CGI that is VERY VERY INSECURE!!!!!!!!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
If you are running the Novell HTTP server, please disable the CGI's
it comes with it until you understand (fully understand) what the
security risks are.
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

The CGI in question is convert.bas (yes, cgi's in basic, stop laughing).
(There may be more CGI's in the scripts dir that can be exploited
but this was all I could stomoch.)

A remote user can read any file on the remote file system using
this CGI.  This means that if you are running the Novell HTTP
server and have the 'out of box' CGI's, you are breached.
Exploit code:
http://victim.com/scripts/convert.bas?../../anything/you/want/to/view

I was going to see how bad this threat was by connecting to
www servers, testing for "Novell HTTP" in the HTTP server responce
BUT WHY DO THAT WHEN YOU HAVE www.altavista.digital.com :-)
+links:scripts/convert.bas
will return you all the sites that can be breached.

PLEASE PLEASE PLEASE don't open the box and put machine on the
Internet.  I am getting tired of this kind of stuff.
Who the hell did Novell consult with to write these darn CGI's?
It makes me sad.

--blast


More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]