COMMAND

    /var/www/cgi-bin/pfdispaly.cgi

SYSTEMS AFFECTED

    IRIX 6.2, 6.3, 6.4

PROBLEM

    J.A. Gutierrez found following.   If you do not remember  or don't
    know about the /cgi-bin/handler bug, take a look at 'httpd #4'  in
    IRIX section of Security Bugware.  Well, more of the same.  Anyone
    can read files (as 'nobody') from your system.  Exploit:

        lynx -source \
        'http://victim.com/cgi-bin/pfdispaly.cgi?/../../../../etc/motd'

    The   IRIS   Performer   API   Search   Tool   software  subsystem
    (performer_tools) is  loaded by  default when  installing the IRIX
    Performer 2.2 CD on IRIX 6.2, 6.3 and 6.4

SOLUTION

    SGI fixes are:

        OS Version     Patch #
        ----------     -------
        IRIX 6.2        3018
        IRIX 6.3        3018
        IRIX 6.4        3018

    Here's the patch:

    *** pfdispaly.cgi.O     Mon Mar 16 23:13:34 1998
    --- pfdispaly.cgi       Mon Mar 16 23:36:29 1998
    ***************
    *** 14,19 ****
    --- 14,20 ----
      $fullcgiroot = "/var/www$cgiroot";

      $shortfilepath = "$ARGV[0]";
    + $shortfilepath =~ s/\.{2,}//g;
      $fullfilepath = "$maindocroot$shortfilepath";
      ($filename = $shortfilepath) =~ s/.*\/(.*)$/$1/;

    Another woraround is:

        # /bin/chmod 500 /var/www/cgi-bin/pfdispaly.cgi