Return-Path: owner-bugtraq@SECURITYFOCUS.COM MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-ID: Date: Wed, 24 May 2000 13:57:21 -0400 Reply-To: Jose Nazario Sender: Bugtraq List From: Jose Nazario Subject: Re: Vulnerability in infosrch.cgi X-To: BUGTRAQ@securityfocus.com To: BUGTRAQ@SECURITYFOCUS.COM > _______________________________________________________________________ > SGI Security Advisory > > Title: Vulnerability in infosrch.cgi > Number: 20000501-01-P > Date: May 22, 2000 > _______________________________________________________________________ [snip] > - -------------------------- > - --- Temporary Solution --- > - -------------------------- > > Although patches are available for this issue, it is realized that > there may be situations where installing the patches immediately may > not be possible. > > The steps below can be used to disable the infosrch.cgi(1) program to > prevent exploitation of this vulnerability until patches can be > installed. I've been dragging my feet on getting this out, I should have when the vulnerability first came out. It's surprising that SGI doesn't mention the Netscape server ACLs that you can use to prevent this. Given that most SGI's out there using the online manpages are *workstations* this is a safe fix. Note that the ACLs will disable anyone else from getting to the web server and associated materials. (But hey, if you're using an SGI/IRIX webserver without securing it, you deserve what you get.) By default, the server software lives in /usr/ns-home. We can use the ACLs built into the server solution. Simply edit your magnus.conf file (and replace workstation with the system's name) and add the following line: file /usr/ns-home/httpd-workstation/config/magnus.conf: ACLFile /usr/ns-home/httpacl/generated.httpd-workstation.acl Then create or edit the file as needed (note the \ to point out the line wrap, it's all one line in the file). Change "workstayion" to your system's name and 10.1.2.3 to your system's IP address: file: /usr/ns-home/httpacl/generated.httpd-workstation.acl: ACL httpd-workstation_formgen-WRITE-ACL_deny-3633 (PUT, DELETE, MKDIR, \ RMDIR, MOVE) { Default deny anyone; } ACL httpd-workstation_formgen-READ-ACL_allow-3633 (GET, HEAD, POST, INDEX) { Default deny anyone; Default allow anyone at (127.0.0.1, 10.1.2.3); I have used this and found that it stops people from perusing the infosrch.cgi script and thwarts the exploit (note the 500 error, I believe this was posted to INCIDENTS recently): pedgr827.sn.umu.se - - [22/Apr/1999:07:07:54 -0400] "GET /cgi-bin/infosrch.cgi?cmd=getdoc&db=man&fname=|/bin/echo%20$HTTP_X|/bin/sh%20-s HTTP/1.0" 500 305 ----------[ Availability of 6.5.8 Secondly, I noticed yesterday that the relstream on the SGI FTP server patches.sgi.com was inaccessable. A quick email to SGI had me pointed to http://support.sgi.com/colls/patches/tools/relstream/index.html (thanks to Alexander Icasiano at SGI). I hope this helps. The relstream directory still shows up emtpy as of 1:45 EDT Wednesday. I hope this helps. There may be a bit more to it, it's been a long time since I installed this ACL. Some kind soul pointed this out to me years ago on Usenet, and I was unable to find the messages in the Deja archives. Thank, whoever you are. jose nazario jose@biochemistry.cwru.edu PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc