On Thu, 29 Jul 1999, Stefan Völkel wrote:
http://your.domain.tld/cgi-bin/test-cgi?;cat%20/etc/shadow%0a
but nothing happend. after checking the httpd.conf i saw that the httpd runs as user nobody on the redhat box. since i do not have access to the suse machines i cannot check if it runs there as nobody too so is it possible that on the suse boxes the httpd runs as non'nobody' which makes him able to read the /etc/shadow?
Hello Stefan, normally only root can read /etc/shadow, but in almost all standard configurations of http servers the user nobody is used (or something equivalent as "wwwrun" in the SuSE-apache config.) So there is little chance, that the above example will work. But with a buggy test-cgi, a one, where you can find a line as 'echo $*' -an UNquoted $*- someone could execute arbitrary commands as the user running httpd, so normally NOT root, but nevertheless, it's not very recommended to leave such a hole! So simply make sure, that the environment variables are quoted in test-cgi, or disable it completely! Bye, Peter