[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: another security hole




On Sun, 11 Jul 1999, Josip Rodin wrote:

> On Sun, Jul 11, 1999 at 01:23:32PM +0200, Grzegorz Stelmaszek wrote:
> > I'd found a bug allowing remote users to list any directory in the os,
> > when it uses cgi-scripts package.
> > Don't answer that directory listing is not important for hackerz
> 
> Although this security issue it is not of extreme importance, yes, it
> can be harmful, because anyone can see the file listing in directories
> that the www-data user can read.
> 
What could i say ? ROTFL is the one i could say. Important informations
for all 'security proffesionals' on that list:
-> Any information is very improtant for hackerz
-> The most important is gaining r00t privilages
-> Then hacker try to gain any account on system in quite short time
-> Then hacker try to use 'social enginerring' to get any user account
-> Then hacker try to guess password ;>

As you could see, the last two steps need LIST OF AVAILABLE USER ACCOUNTS
on your system.
Note bene - AIK debian still uses unpatched version of pine, so there is
easy way to run any command via it IF you know to whom send an email.
 
> And you know, it would be nice if you proposed a fix for the bug.
> A quick fix would be to remove or chmod -x the script.
> 
Hmmm, or rather you shoud change all `echo $VALUE` to `echo "$VALUE"`, and
this is real fix. Your proposition is same as `dpkg -r` and imho is not
fix, but destroy ;>.

greg

PS.
  Specially for some of you that never understand what i'm talking about
;> i give explanation:
-> hacker starts `lynx victim/cgi-bin/nph-test-cgi?/home/*` so he has list
of user accounts (impossible ! does the www-data user have access to /home
?)
-> hacker `lynx victim/cgi-bin/nph-test-cgi?/usr/doc/*` so he has list of
packages installed
-> hacker prepars for attack
-> hacker sends an email to any girl (sorry, but that's true;> that has
account on os
-> girl reads his email, so hacker has account

any more problems ?
imho not
*************************************************************************** 
* Grzegorz Stelmaszek        *          For my public PGP key:
* mailto:greg@tenet.pl       *           finger:greg@tenet.pl
* http://www.tenet.pl        *         18 E9 5E 6D 78 F0 11 F2
******************************         45 CF CF 63 77 C0 A4 20
           >>> Microsoft Certified Professional <<<




Reply to: