COMMAND

    httpd

SYSTEMS AFFECTED

    IRIX 6.2

PROBLEM

    J.A. Gutierrez found following.   WWW HTTP/1.0 Server, as  shipped
    with  IRIX  6.2  (at  least  in  low end machines) includes a perl
    script (wrap) which allows anyone on the net to get a listing  for
    any directory with mode +755.

    Simply use:

        http://sgi.victim/cgi-bin/wrap?/../../../../../etc

    There is a nice interface to this bug at:

        http://phoebe.cps.unizar.es/~spd/pub/ls.cgi

SOLUTION

    If you are running this server, here is a fix:

    *** /var/www/cgi-bin/wrap       Sat Apr 19 23:08:03 1997
    --- /var/www/cgi-bin/wrap.O     Sat Apr 19 23:07:44 1997
    ***************
    *** 66,74 ****
      $doc      = $ROOT.$PATH ;

      &DefaultMesg if ! defined $PATH || $PATH eq "" ;      # Get a base listing =)
    -
    - $_ = $PATH;
    -
      &ErrBadPath unless &ValidPath ;       # Check for server spoofing
      &ErrBadPath unless -e $doc ;  # Check to see it exists
      &HandleDownload if -f $doc ;  # Do the right thing
    --- 66,71 ----