Web Exposures

• When PHF script exist

  • http://your.host/cgi-bin/phf?Qalias=x%0Acat%20/etc/passwd
  • %0A -new line; %20 - space

• Most Web applications are never tested for penetration vulnerabilities (input handling issues)

  • cgi script may be able to use files outside of server area
  • unexpected arguments

• Web servers have well-known bugs: in most cases requires ability to find, read and recreate exploits

• various exploits described at

  • http://www.cert.org/advisories/

• Most popular: replace web pages with new ones; put additional contents

Previous slide

Next slide

Back to first slide

View graphic version