CIAC...

[Andrew Wilson <an...@aaaaaaaa.demon.co.uk>]

[just trying to understand what's going on here...]

Mmm, on second thoughs what is the problem precisely?  In 1.1-dev
(yeah I know CIAC's concerned with 1.0.3) the escape_shell_cmd()
function is only used in two places:

1)  mod_include.c, to screen values which are given to the environment 
    variables:
    PATH_INFO
    QUERY_STRING_UNESCAPED

    so preseumably prior to any fix people would risk running some
    embedded '\nrm -rf /' when writing perl like:

    #!/usr/bin/perl
    # fukme
    `do_my_script ${QUERY_STRING_UNESCAPED}`;
    exit;

    Does anyone out there *trust* the webserver to remove bad
    characters from the environment variables?!  I mean there's
    nothing in the documentation (*snort*) that sez "Apache ensures
    that all invalid characters are scrubbed, so it's safe to pass
    this info into exec!".

    Mmm... is there another reason why these two env vars are being screened?

2)  util_script.c contains create_argv*(), as called by mod_cgi.c
    which builds CGI commands prior to their execution, and uses
    arguments passed in from the real world.  This argument set is
    only screened and passed to execve if the URL is of the form:

	/cgi-bin/foo?whatever

    Presumably this is where the \n can creep in unnoticed and
    cause havoc!?.  I've tried as many combinations as I can think
    of to replicate something like:

	/cgi-bin/foo?legit\n<some nasty command>

    Anyway,...

    Can anyone *mail me* an exploit script for this please!?

Cheers,
Ay.