Newsgroups: fj.unix
Path: galaxy.trc.rwcp.or.jp!news.trc!nf2.iij.ad.jp!nr0.iij.ad.jp!news.iij.ad.jp!rim.or.jp!ayamura-news!tamaru-news!kuee-news!aero.kyushu-u!hakozaki.karrn!hakata!sakura.kudpc!cancer.nca5.ad.jp!nfeed.gw.nagoya-u.ac.jp!vega2!arisawa
From: arisawa@vega2.aichi-u.ac.jp (Kenji Arisawa)
Subject: cgi security
Sender: news@vega2.aichi-u.ac.jp (News Master)
Message-ID: <ErwM8F.2FF@vega2.aichi-u.ac.jp>
Date: Fri, 24 Apr 1998 06:05:03 GMT
Nntp-Posting-Host: vega2
Organization: Aichi University Computer Center, Aichi University, Aichi, Japan.
X-Newsreader: mnews [version 1.18PL3+] 1994-08/01(Mon)
Lines: 33
Xref: galaxy.trc.rwcp.or.jp fj.unix:7887
X-originally-archived-at: http://galaxy.rwcp.or.jp/text/cgi-bin/newsarticle2?ng=fj.unix&nb=7887&hd=a
X-reformat-date: Mon, 18 Oct 2004 15:18:22 +0900
X-reformat-comment: Tabs were expanded into 4 column tabstops by the Galaxy's archiver. See http://katsu.watanabe.name/ancientfj/galaxy-format.html for more info.

$BM-_7(B@$B0&CNBg3X$G$9(B

3$B7nKv$K$"$k?M$+$i(B E-mail $B$,FO$-$^$7$?!#(B
$B0J2<$NFbMF$G;O$^$j(B
You have a bug in your system that allows unathorized access to the passwd file. I retrieved the file simply through a web browser, and any other malicious hacker could do the same. You are very lucky because I had no malicious intent. I never even tried to crack the passwords. Here is what the file lists when you use the phf bug.
$B$3$N8e$K(B /etc/passwd $B$NFbMF$,B3$-$^$9!#(B

$BH`$OBP:v$H$7$F(B /etc/passwd $B$r(B cgi $B$,FI$_$K9T$C$?>l9g$K$G$?$i$a$rJV$9(B
$B%W%m%0%i%`$rE:IU$7$F$$$^$9!#(B

$B9,$$;d$N(B /etc/passwd $B$OC1$J$k%@%_!<$J$N$H!"H`$N8@$&BP:v$OLdBj$NK\<A$r(B
$BFM$$$F$$$k$H$O;W$($J$+$C$?$N$G$=$N$^$^$[$C$FCV$-$^$7$?!#(B
$B$9$k$H:#EY$O(B /etc/passwd $B$r=q$-49$($F$/$l$^$7$?!#(B
$B%"%/%;%9%b!<%I$O(B
rw-r--r--
$B$K$J$C$F$$$k$N$G$9$,!"$3$l$rFMGK$7$?$N$G$9!#(B
$BCzG+$K(B
sea_dog@hotmail.com
$B$N=pL>$,F~$C$F$$$^$9$,!"B?J,%K%;%"%I%l%9$G$7$g$&!#(B

$BH`$OB?J,@$3&Cf$N(B Web $B%5!<%P$r%"%/%;%9$7!"LdBj$N$"$k%5!<%P$KBP$7$F<+F0E*$K(B
$B%a!<%k$rAw$C$?$j$$$?$:$i$7$?$j$7$F$$$k$N$G$7$g$&!#:#$N$H$3$m0-5$$O$J$$(B
$BMM$G$9$,!"3'$5$s$NCf$K$bF1$8%a!<%k$r<u$1<h$C$??M$,5o$k$N$G$O$J$$$+$H(B
$B;W$$$^$9!#(B

$BLdBj$r:,K\$+$i<#NE$7$?$$$N$G$9$,!"9M$($i$l$k860x$K$D$$$F0U8+$r$*J9$+$;(B
$B2<$5$$!#(B

$B$J$*;d$N%5!<%P$O(B apche 1.1 $B$G$9!#(B

$BM-_77r<#(B
E-mail: arisawa@aichi-u.ac.jp

