Results 1 to 2 of 2

Thread: why don't they patch these sites?

  1. October 23rd, 2004, 10:19 AM #1
    littlenick
    littlenick is offline
    Senior Member
    Join Date
    Oct 2004
    Posts
    122

    why don't they patch these sites?

    i just went to google and searched for a known cgi bug which has been around for a long time it is no new i hope most of you are familier with this.
    yeah sure it is called google hacking(or URL hacking).
    to get an understanding of cgi bug i am talking aboot see this url :
    http://www.google.co.in/search?hl=en...%3D+.txt&meta=

    this perticular bug allows remote command execution on those sites.A lot of web sites have been hacked(or defaced)using this mathod by hackers.
    what amazed me was that two of the site listed in google search have been there for a long time.


    I mailed them(long time ago) to inform them that there is a bug on there site which allow remote command execution.there was no response from them!!!
    http://www.a-sup.jp/cgi-bin/shop/cgi...2003-06-30.txt|ls%20-l|

    http://www.cdfilm.h1.ru/cgi-bin/shop...ke=1_2_329.txt|ls%20-l|

    see these two urls executing ls command.
    and this URL executing id command.
    http://www.a-sup.jp/cgi-bin/shop/cgi...2003-06-30.txt|id|

    it has been a long time since i mailed them last time and i will do it again today.But i don't get it why don't these pplz patch it.
    It is like an Open invitation to anyone with an internet and a keyboard to hack these sites.

    i am not giving a full detail of bug and exploits coz i don't want pplz to misuse that information.
    nobody is perfect i am nobody
    Reply With Quote Reply With Quote
  2. October 23rd, 2004, 10:45 AM #2
    Moissonite
    Moissonite is offline
    Member
    Join Date
    Aug 2004
    Posts
    70
    Unpatched hosting servers are notorious for being flawed on first release - as are coded services which run on questionably wise engines such as perl/cgi.

    The IIS version (I believe 5) which is bundled together with Windows 2000 was notorious for flaws, many of which were not rectified until (Win2k - not XP ) Service Pack 2. Earlier OS packaged versions of apache were the same.

    The ownous on security very much comes down to the individual running the service. Without proper security measures - most prominantly, in this case, patching - their service is open to a barrage of attacks - many of which are a google search away.

    The same applies for the code with which they use - especially when it is freely distributed. A lot of webstore cgi code (shop.cgi or more famously commerce.cgi) had initial security flaws which were easily exploited. Thankfully updates were provided (or the more adventurous coders out there spotted the problems themselves).

    Thankfully new technologies such as ColdFusion and ASP offer better security measures than CGI - though, unfortunately, flaws shall always be found.

    As for your constant e-mailing to the webmaster - it is highly probable they either no-longer maintain the website or rarely maintain it. I find it difficult to believe a live store would continue to operate in the same fashion after X many attacks (esp if that site is a known target for explitation). Then again - little would suprse me out there in cyber land
    # Now if I ever needed inspiration,
    Right about now where I lose my patience,
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules