----------------------------------------------------------------------------

Service

http

Program

   * NT Netscape Communications Server, all versions to 18th March 1996.
     Version 1.13 now available.
   * WebSite, all versions prior to 1.1c Patch made available 14th March
     1996 to registered users, now freely available.
   * Microsoft-Internet-Information-Server, all versions to Service Pack 3.
   * Purveyor not vulnerable, developer statement, 22nd February 1996
   * On information supplied by Andy Shipman, CompuServe/Spry Internet
     Office Webserver version 1.0 is also vulnerable.
   * No other NT or Windows servers tested.

Problem

These servers pass unchecked CGI arguments to a DOS command interpreter.

Impact

Internet users can have arbitrary commands executed on the machine by the
owner of the http daemon.

Timeliness

Widely known since 18th February 1996.

Description

Arguments to DOS CGI scripts are passed to a command interpreter unchecked.

http://your.host.name/cgi-bin/script.bat?&dir
http://your.host.name/scripts/script.cmd?&dir
http://your.host.name/scripts/script.bat?&dir

is a harmless example, which will deliver the results of script.bat, and,
assuming the script succeeds, follow this by a directory listing.

Recommendations

   * Obtain the latest copies of the Microsoft, Netscape & WebSite servers.

