From mbrennen@fni.com Thu Jul 4 08:54:10 1996 Received: from ns1.fni.com (root@ns1.fni.com [204.181.104.1]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id IAA04513 for ; Thu, 4 Jul 1996 08:54:00 +1000 Received: from ns1.fni.com (mbrennen@ns1.fni.com [204.181.104.1]) by ns1.fni.com (8.7.5/8.7.3) with SMTP id RAA19613 for ; Wed, 3 Jul 1996 17:53:35 -0500 Date: Wed, 3 Jul 1996 17:53:35 -0500 (CDT) From: Michael Brennen To: best-of-security@suburbia.net Subject: *** SECURITY ALERT *** (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII ---------- Forwarded message ---------- Date: Wed, 3 Jul 1996 14:50:06 -0700 (PDT) From: TTT Group To: firewalls@GreatCircle.COM Subject: *** SECURITY ALERT *** I spent some time exploring Novell's HTTP server and out of the box there is a CGI that is VERY VERY INSECURE!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! If you are running the Novell HTTP server, please disable the CGI's it comes with it until you understand (fully understand) what the security risks are. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! The CGI in question is convert.bas (yes, cgi's in basic, stop laughing). (There may be more CGI's in the scripts dir that can be exploited but this was all I could stomoch.) A remote user can read any file on the remote file system using this CGI. This means that if you are running the Novell HTTP server and have the 'out of box' CGI's, you are breached. Exploit code: http://victim.com/scripts/convert.bas?../../anything/you/want/to/view I was going to see how bad this threat was by connecting to www servers, testing for "Novell HTTP" in the HTTP server responce BUT WHY DO THAT WHEN YOU HAVE www.altavista.digital.com :-) +links:scripts/convert.bas will return you all the sites that can be breached. PLEASE PLEASE PLEASE don't open the box and put machine on the Internet. I am getting tired of this kind of stuff. Who the hell did Novell consult with to write these darn CGI's? It makes me sad. --blast