Software: Robpoll.cgi URL: http:// Platforms: Unix, NT Type: CGI, Change password by default robpoll.cgi Remote Possible Problem discovered by Nick: alt3kx Mail: alt3kx_h3z@raza-mexicana.org Webs: w w w . h e r t m x . o r g w w w . s 0 d . o r g w w w . r a z a - m e x i c a n a . o r g Summary: Anyone can execute any command on the remote system with the priveleges of the web server. Anyone can read any file on the remote system which the account in wich the webserver runs as. Vulnerability: Robpoll is a free cgi based admin program. I played with the CGI and discovered that the function admin is set by a default password called "robpoll": 1: Add New Question 2: Remove Question 3: Change Password <--here is the bug There is an admin function for adding and removing questions, which is run through the robpoll.cgi, as shown in poll.html. The admin section of the script is password protected. The default password is "robpoll". You can change it through one of the admin functions. These are the files you should have: 1. robpoll.cgi . . . . . . the main Perl script 2. pollssi.cgi . . . . . . the Perl script for SSI 3. poll.html . . . . . . . sample html file 4. data.txt . . . . . . . . main data file 5. q1.txt . . . . . . . . . question data 6. ip1.txt . . . . . . . . ip data 7. num.txt . . . . . . . . data 8. white.jpg . . . . . . . image for graphing 9. robpoll.jpg . . . . . . link image 10. readme.txt . . . . . . . this file Exploit: (1) robpoll.cgi - http://www.example.com/cgi-bin/robpoll.cgi?Admin (2) You will receive an message html like: 1: Add New Question 2: Remove Question 3: Change Password (3) The password by default is "robpoll", leaving this password thus compromises the system and its files. ------------------------CUT------------------------ ## - Author alt3kx - ## (www.raza-mexicana.org) ## ## #!/bin/bash echo -e "GET http://www.example.com/cgi-bin/robpoll.cgi?Admin HTTP/1.0\n\n" | nc xxx.server.com 80 ------------------------CUT------------------------ Greetz to: Packet Storm and Ken, ADM crew, dr_fdisk^(k00l friend), Raregazz, X-ploit, _0x90_ (next work!). Radikall (thanks for the work).