Content-Type: Remote Root via vulnerible CGI software Date : 13/08/2000 Sender : s1gnal_9 Subject : form-totaller Vulnerible CGI X-System : UNIX/NT systems running the form-totaller CGI software X-Status : s1gnal_9-ADVISORY-form-totaller.txt X-Greets : Narr0w, f0bic, VetesGirl _________________________________________________________________________________ PRODUCT NAME: form-totaller version 1.0 PRODUCT HOMEPAGE: http://www.newbreedsoftware.com/form-totaller/ Also Available at freecode.com DESCRIPTION : Use "form-totaller" to create tests and quizes on the web. Use forms with pull-down menus or radio buttons and this CGI will display output based on their input. PROBLEM: The command field "_response_data" is the field that specifies the display output based on their input. The default file for this field is set at: A remote attacker could easily change the cgi script to use "/etc/passwd" as the response data value. EXAMPLE: Below is a example of how we could read files on the remote system. <-------------------------CUT HERE-------------------------------------->
<-------------------------CUT HERE--------------------------------------> SOLUTION I would recommend hard-coding the response_data file right into the script and leave that command field out of the cgi. Please visit www.zone.ee/unix :)