漏洞信息详情

IRIX cgi-bin处理程序漏洞

• CNNVD编号：CNNVD-199709-004
• 危害等级： 高危
  
  
• CVE编号：
  CVE-1999-0148
  
• 漏洞类型：
  
  
  输入验证
  
• 发布时间：
  
  1997-09-01
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2005-05-02
  
• 厂        商：
  
  sgi
• 漏洞来源：
  This bug was origi…

IRIX的处理程序CGI允许任意命令的执行。

A suitable patch was posted to Bugtraq:
*** handler.orig Wed Jul 23 20:49:26 1997
— handler Wed Jul 23 20:55:25 1997
***************
*** 26,31 ****
— 26,32 —-
$pathRoot = $_[$#_] ;
$doc = $ROOT.$PATH ;
+ $_ = $PATH;
&ErrBadPath unless &ValidPath ; # Check for server spoofing
#__________________________________________________________
***************
*** 108,113 ****
— 109,117 —-
sub ValidPath
{
+ # suggested by drazvan@kappa.ro
+ if (/[|;]/) { return ” };
+
return 1 unless /\.\./ ;
return ” if /^\.\./ ;
***************
*** 117,120 ****
— 121,136 —-
return 1 ;
}
+ sub ErrBadPath
+ {
+ print <
+

404 Not Found

+ The requested URL $PATH was not found on this server.

+
+ ENDOFTEXT
+
+ die ;
+ }
Please go to SGI support at
http://support.sgi.com> for official patches from Silicon Graphics for this any other vulnerabilities.

来源: BID
名称: 380
链接:http://www.securityfocus.com/bid/380

来源: SGI
名称: 19970501-02-PX
链接:ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX