Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200713865
HistoryJan 20, 2007 - 12:00 a.m.

Network Security Series knowledge of CGI exploits collection on-vulnerability warning-the black bar safety net

2007-01-2000:00:00
佚名
www.myhack58.com
16
JSON

Following the collection and collation of some of the famous CGI vulnerability and provided some security recommendations and solutions, if the server of the presence of these vulnerabilities not patched, then, each vulnerability is likely will fill the intruder utilization, increase Server been attacked by the index.

1. phf

● Type: the attack type

● Risk level: medium

● Description: in the NCSA or Apache (1.1.1 version within)the non-commercial version of the Web Server there is a section of the program util. c, to allow the intruder in as root to perform any one of the instructions:

|

http://www.xxx.com/cgi-bin/phf?Qname=root some command here

● Solution: put an Apache web server upgrade to 1. 1. 1 above, or the NCSA web server upgrade to the latest version.

2. wguset.exe

● Type: the attack type

● Risk level: medium

● Description: If you are using Windows NT as the WebServeroperating system, and wguest. exe present in the Web executable directory, then the intruder will be able to use it to read to the hard disk on all USR_ the user can read the file.

● Resolution: wguset. exe from Web directories moved or deleted.

3. rguset.exe

● Type: the attack type

● Risk level: medium

● Description: If you are using Windows NT as the WebServeroperating system, and rguest. exe present in the Web executable directory, then the intruder will be able to use it to read to the server hard disk on all USR_ the user can read the file.

● Resolution: rguset. exe from Web directories moved or deleted.

4. perl.exe

● Type: the attack type

● The level of risk: low

● Description: 在cgi-bin执行目录下存在perl.exe this is a serious configuration error. The intruder can in perl. exe followed by a string instruction, using a browser at the server on execution of any script program.

● Solution: in the Web directory and remove the perl. exe this program.

5. shtml.exe

● Type: the attack type

● The level of risk: low

● Description: If you are using Front Page as the WebServer, then the intruder can use the IUSR_ user and shtml. exe invasion of the user with the machine.

● Solution: will shtml. exe from Web directories moved or deleted.

6. wwwboard.pl

● Type: the attack type

● The level of risk: low

● Description: wwwboard. pl app is easy to cause the attacker to the server for D. O. S attack.

● Recommended: as necessary you can delete the file.

● Resolution: get_variables subroutine in the following paragraph:

if ($FORM{“followup”}) { $followup = “1”
@followup_num = split(/,/,$FORM{“followup”});
$num_followups = @followups = @followup_num;
$last_message = pop(@followups);
$origdate = “$FORM{“origdate”}”
$origname = “$FORM{“origname”}”
$origsubject = “$FORM{“origsubject”}” }

Replaced by:

if ($FORM{“followup”}) {
$followup = “1”
@followup_num = split(/,/,$FORM{“followup”});
$num_followups = @followups = @followup_num;
$last_message = pop(@followups);
$origdate = “$FORM{“origdate”}”
$origname = “$FORM{“origname”}”
$origsubject = “$FORM{“origsubject”}”

WWWBoard Bomb Patch

Written By: Samuel Sparling [email protected])

$fn=0;
while($fn < $num_followups)
{
$cur_fup = @followups $fn];
$dfn=0;
foreach $fm(@followups)
{
if(@followups[$dfn] == @followups[$fn] && $dfn != $fn)
{
&error(board_bomb);
}
$dfn++;
}
$fn++;
}

End WWWBoard Bomb Patch

}

7. uploader.exe

● Type: the attack type

● Risk level: medium

● Description: If you are using Windows NT as the WebServeroperating system, the intruder can use the uploader. exe to upload any file.

● Solution: the uploader. exe from Web directories moved or deleted.

8. bdir. htr

● Type: the attack type

● The level of risk: high

● Description: If you are using Windows NT as the WebServeroperating system, and bdir. htr is present in the Web executable directory, then the intruder will be able to use it on the server endless to create an ODBC database, and generates some executable file.

● Settlement method: the bdir. the htr from the Web directories moved or deleted.

9. Count. cgi

● Type: the attack type

● The level of risk: high

● Description: in/cgi-bin directory under the Count. the cgi program(Wwwcount2. 3)There is an overflow error that allows an intruder without login and remote execution of any instruction.

● Recommended: as necessary you can delete the file.

● Resolution: Wwwcount upgrade to 2. 4 or more.

Following the collection and collation of some of the famous CGI vulnerability and provided some security recommendations and solutions, if the server of the presence of these vulnerabilities not patched, then, each vulnerability is likely will fill the intruder utilization, increase Server been attacked by the index.

1. phf

● Type: the attack type

● Risk level: medium

● Description: in the NCSA or Apache (1.1.1 version within)the non-commercial version of the Web Server there is a section of the program util. c, to allow the intruder in as root to perform any one of the instructions:

http://www.xxx.com/cgi-bin/phf?Qname=root some command here

● Solution: put an Apache web server upgrade to 1. 1. 1 above, or the NCSA web server upgrade to the latest version.

2. wguset.exe

● Type: the attack type

● Risk level: medium

● Description: If you are using Windows NT as the WebServeroperating system, and wguest. exe present in the Web executable directory, then the intruder will be able to use it to read to the hard disk on all USR_ the user can read the file.

● Resolution: wguset. exe from Web directories moved or deleted.

3. rguset.exe

● Type: the attack type

● Risk level: medium

● Description: If you are using Windows NT as the WebServeroperating system, and rguest. exe present in the Web executable directory, then the intruder will be able to use it to read to the server hard disk on all USR_ the user can read the file.

● Resolution: rguset. exe from Web directories moved or deleted.

4. perl.exe

● Type: the attack type

● The level of risk: low

● Description: 在cgi-bin执行目录下存在perl.exe this is a serious configuration error. The intruder can in perl. exe followed by a string instruction, using a browser at the server on execution of any script program.

● Solution: in the Web directory and remove the perl. exe this program.

5. shtml.exe

● Type: the attack type

● The level of risk: low

● Description: If you are using Front Page as the WebServer, then the intruder can use the IUSR_ user and shtml. exe invasion of the user with the machine.

● Solution: will shtml. exe from Web directories moved or deleted.

6. wwwboard.pl

● Type: the attack type

● The level of risk: low

● Description: wwwboard.plThe program is easy to cause the attacker to the server for D. O. S attack.

● Recommended: as necessary you can delete the file.

● Resolution: get_variables subroutine in the following paragraph:

if ($FORM{“followup”}) { $followup = “1”
@followup_num = split(/,/,$FORM{“followup”});
$num_followups = @followups = @followup_num;
$last_message = pop(@followups);
$origdate = “$FORM{“origdate”}”
$origname = “$FORM{“origname”}”
$origsubject = “$FORM{“origsubject”}” }

Replaced by:

if ($FORM{“followup”}) {
$followup = “1”
@followup_num = split(/,/,$FORM{“followup”});
$num_followups = @followups = @followup_num;
$last_message = pop(@followups);
$origdate = “$FORM{“origdate”}”
$origname = “$FORM{“origname”}”
$origsubject = “$FORM{“origsubject”}”

WWWBoard Bomb Patch

Written By: Samuel Sparling [email protected])

$fn=0;
while($fn < $num_followups)
{
$cur_fup = @followups $fn];
$dfn=0;
foreach $fm(@followups)
{
if(@followups[$dfn] == @followups[$fn] && $dfn != $fn)
{
&error(board_bomb);
}
$dfn++;
}
$fn++;
}

End WWWBoard Bomb Patch

}

7. uploader.exe

● Type: the attack type

● Risk level: medium

● Description: If you are using Windows NT as the WebServeroperating system, the intruder can use the uploader. exe to upload any file.

● Solution: the uploader. exe from Web directories moved or deleted.

8. bdir. htr

● Type: the attack type

● The level of risk: high

● Description: If you are using Windows NT as the WebServeroperating system, and bdir. htr is present in the Web executable directory, then the intruder will be able to use it on the server endless to create an ODBC database, and generates some executable file.

● Settlement method: the bdir. the htr from the Web directories moved or deleted.

9. Count. cgi

● Type: the attack type

● The level of risk: high

● Description: in/cgi-bin directory under the Count. the cgi program(Wwwcount2. 3)There is an overflow error that allows an intruder without login and remote execution of any instruction.

● Recommended: as necessary you can delete the file.

● Resolution: Wwwcount upgrade to 2. 4 or more.

2 3. aglimpse

● Type: the attack type

● The level of risk: high

● Description: in the cgi-bin directory under the aglimpse app has a vulnerability that allows an intruder without having to log in and feel free to execute any instruction.

● Recommendation: we recommend that an audit of the cgi-bin directory, to avoid unnecessary procedures exist.

● Workaround: delete the/cgi-bin directory under the aglimpse program.

2 4. AT-admin. cgi

● Type: the attack type

● Risk level: medium

● Description: Excite for Web Servers 1.1/cgi-bin/AT-admin. cgi program that allows ordinary users to fully control the entire system.

● Recommendation: we recommend that an audit of the cgi-bin directory, to avoid unnecessary procedures exist.

● Workaround: delete the/cgi-bin directory under the AT-admin. the cgi program.

2 5. finger

● Type: the attack type

● Risk level: medium

● Description: This is located in the/cgi-bin under the finger program, you can view other server information, but if the parameter into the machine, on the machine the account information will be exposed to:

/cgi-bin/finger?@ localhost

● Recommendation: we recommend that an audit of the cgi-bin directory, to avoid unnecessary procedures exist.

● Workaround: delete the/cgi-bin directory under the finger program.

2 6. webwho.pl

● Type: the attack type

● Risk level: medium

● Description: If the Web executable directory with webwho. pl this CGI script, then the intruder will be able to use it to read to start the Web user can read and write any file.

● Settlement method: the webwho. pl from the Web the directory is deleted or removed.

2 7. w3-msql

● Type: the attack type

● The level of risk: low

● Description: MiniSQL package release version that comes with a CGI(w3-msql)can be used in the httpd uid privileges to execute arbitrary code. This security vulnerability is from the program the scanf()function caused.

● Solution: if you install MiniSQL package, please use the/cgi-bin/directory of the w3-msql file is deleted or removed. Or use the following patch.

The patch program:

------ w3-msql. patch---------
410c410
< scanf("%s ", boundary);

> scanf("%128s ", boundary);
418c418
< strcat(var, buffer);

> strncat(var, buffer,sizeof(buffer));
428c428
< scanf(" Content-Type: %s ", buffer);

> scanf(" Content-Type: %15360s ", buffer);
------ w3-msql. patch---------

2 8. Netscape FastTrack server 2.0.1 a

● Type: the attack type

● Risk level: medium

● Description: UnixWare 7.1 that comes with the Netscape FastTrack server 2.0.1 a There is a remote buffer overflow vulnerability. By default, the service listens 4 5 7 port of http through the http Protocol provides the UnixWare documentation. If to the server to transmit a length of more than 3 6 7 The character of the GET request causes buffer overflow, EIP value to be covered will possibly cause arbitrary code to the httpd permissions to execute.

● Workaround: temporary workaround is to shut down the Netscape FastTrack Server.

2 9. AnyForm. cgi

● Type: the attack type

● The level of risk: high

● Description: Located in the cgi-bin directory under AnyForm. cgi program, is used for simple forms for delivery by mail response, but the program for user input checking is not complete, can be utilised by intruders in the server to perform any command.

● Recommendation: we recommend that an audit of the cgi-bin directory, to avoid unnecessary procedures exist.

● Solution: recommended to upgrade to the cgi program, or delete the file.

3 0. whois. cgi

● Type: the attack type

● The level of risk: low

● Description: in a multiple WebServer with Whois. cgi there is overflow vulnerability. They include:

Whois Internic Lookup - version: 1.02
CC Whois - Version: 1.0
Matt"s Whois - Version: 1

They will make the intruder can be used on the system to start the httpd user privileges to execute arbitrary code.

● Solution: Web directories ask whois. cgi deleted or removed.

3 1. environ. cgi

● Type: the attack type

● Risk level: medium

● Description: the Apache web server or IIS and other web server/cgi-bin/environ. a cgi program that has a vulnerability that allows an intruder to bypass the security mechanisms, browse the server on some files.

● Recommendation: we recommend that an audit of the cgi-bin directory, to avoid unnecessary procedures exist.

● Solution: recommended to upgrade to the cgi program, or delete the file.

3 2. wrap

● Type: the attack type

● Risk level: medium

● Description: /cgi-bin/wrap program there are 2 vulnerabilities that allow intruders access to server files on the illegal access, such as:http://host/cgi-bin/wrap?/../../../../../etc

● Recommendation: we recommend that an audit of the cgi-bin directory, to avoid unnecessary procedures exist.

● Workaround: delete the/cgi-bin/wrap file.

3 3. edit.pl

● Type: the attack type

● Risk level: medium

● Description:/cgi-bin/edit. pl has a security weakness, with the following command you can access the user’s configuration of the situation:

http://www.sitetracker.com/cgi-bin/edit.pl?account=&password=

● Recommendation: we recommend that an audit of the cgi-bin directory, to avoid unnecessary procedures exist.

● Workaround: delete the/cgi-bin/edit. pl file.

3 4. service. pwd

● Type: the attack type

● Risk level: medium

● Description: UNix system http://www. hostname. com/_vti_pvt/service. pwd can be read, will expose the user password information.

● Recommendation: we recommend that remove the service. pwd’s.

● Resolution: No

3 5. administrators. pwd

● Type: the attack type

● Risk level: medium

● Description: UNix system http://www. hostname. com/_vti_pvt/administrators. pwd can be read,will expose the user password information.

● Recommendation: recommend to remove the administrators. pwd’s.

● Resolution: No

3 6. users. pwd

● Type: the attack type

● Risk level: medium

● Description: UNix system http://www. hostname. com/_vti_pvt/users. pwd can be read,will expose the user password information.

● Recommendation: we recommend that the deleted users. pwd’s.

● Resolution: No

3 7. authors. pwd

● Type: the attack type

● Risk level: medium

● Description: UNix system http://www. hostname. com/_vti_pvt/authors. pwd can be read,will expose the user password information.

● Recommendation: we recommend that remove authors. pwd’s.

● Resolution: No

3 8. visadmin.exe

● Type: the attack type

● Risk level: medium

● Description: in OmniHTTPd Web Server 的 cgi-bin 目录 下 存在 这个 文件 visadmin.exe then as long as the attacker enter the following command:

http://omni. server/cgi-bin/visadmin. exe? user=guest

A few minutes after the server’s hard disk will be support full.

● Solution: put visadmin. exe from the cgi-bin directory is deleted.

3 9. tst. bat

● Type: the attack type

● The level of risk: high

● Description: Alibaba web server,its cgi-bin directory exists tst. bat this app allows the intruder any execution of a command:

http://www.victim.com/cgi-bin/tst.bat/type c:\windows\win.ini

● Solution: put tst. bat from the cgi-bin directory is deleted.

4 0. fpcount.exe

● Type: the attack type

● The level of risk: low

● Description: If you are using Windows NT as a WebServer platform, and only install the SP3 patch, then the intruder can use this CGI program to perform DoS attacks, so that the IIS service is denied access.

● Workaround: move the Web directory in fpcount. exe deleted or removed.

4 1. openfile. cfm

● Type: the attack type

● The level of risk: low

● Description: if in a Web directory containing:

/cfdocs/expeval/exprcalc. cfm
/cfdocs/expeval/sendmail. cfm
/cfdocs/expeval/eval. cfm
/cfdocs/expeval/openfile. cfm
/cfdocs/expeval/displayopenedfile. cfm
/cfdocs/exampleapp/email/getfile. cfm
/cfdocs/exampleapp/publish/admin/addcontent. cfm

These files, then the intruder may be able to use them to read into the system on all the files.

● Workaround: move the Web directory of the openfile. cfm deleted or removed.

JSON