OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 1st quarter (Jan-Mar) 1999: Re: test-cgi - Re: HTTP REQUEST METHOD flaw

Re: test-cgi - Re: HTTP REQUEST METHOD flaw

Peter van Dijk (peterATTIC.VUURWERK.NL)
Thu, 14 Jan 1999 09:35:33 +0100 

On Wed, Jan 13, 1999 at 10:12:13AM -0600, monti wrote:
> At least one exploitable application for throwing arbitrary characters
> into an HTTP request method is good old "test-cgi".
>
> The suggested (and from what I have seen on most systems, typical) fix
> for the origianl bug in this script was to put the "QUERY_STRING" variable
> in test-cgi in quotes to prevent its use for listing files.
>
> With mnemonix's post regarding the REQUEST METHOD's "feature", many users
> are re-exposed to the test-cgi problem, as the "REQUEST_METHOD" variable
> remains un-quoted in the following shell command:
>
> echo REQUEST_METHOD = $REQUEST_METHOD
>
> Instead of using "*" or a pathname followed by "*" as an argument to
> test-cgi as in:
>
> GET /cgi-bin/test-cgi?* HTTP/1.0
>
> An attacker could use something like the following"
>
> * /cgi-bin/test-cgi HTTP/1.0
> to see contents of /cgi-bin directory of web-root

A paper I wrote somewhere in 1997(!) notes that CONTENT_TYPE, CONTENT_LENGTH,
HTTP_ACCEPT, HTTP_REFERER, PATH_INFO, PATH_TRANSLATED, QUERY_STRING,
REQUEST_METHOD and SERVER_PROTOCOL are under control of the user.

If you control your reverse and forward DNS, you could also theoretically
control REMOTE_HOST.

Greetz, Peter.
--
<squeezer> AND I AM GONNA KILL MIKE                |          Peter van Dijk
<squeezer> hardbeat, als je nog nuchter bent:      | peterattic.vuurwerk.nl
<squeezer>   date = localtime(time);              |  realtime security d00d
<squeezer>   $date[5] += 2000 if ($date[5] < 37);  |
<squeezer>   $date[5] += 1900 if ($date[5] < 99);  |        * blah *