"The Finger Server" execute shell commands

  "The Finger Server"

"The Finger Server"

Iain  Wade  found  following.   In  1999.  he was tinkering w/ The Finger  Server  v0.82  and  came  across  some  bugs which let you execute shell  commands under  the privileges  of the  web server.It's available at

glazed.org  It's just another case of perl doing it's magic on an open() call.There  is  undoubtably  other  problems,  but here's the offending code exploited here is:

        open (PLANS, "$plan_path$filename") ||
                do { print "Can't open $plan_path$filename: $!";

    It is called with the following arguments;
finger.cgi?action=archives&cmd=specific&filename=  It does minimal checking before there, really only making sure the username is valid, but for example by using:

you can execute whatever...  The  output will not get to you  (the web client)  obviously if  you use  ||  .. it  does
    however get executed...  So an example to test it could be 

Surrounding  it  in  pipes  is  the  only  way one could get it to execute, otherwise it would return open errors 


One Response to “c0decstuff”

What's on Your Mind...

Thank f' u C0mment