Problem: If you are running the "AnyForm" CGI program, available at <URL:http://www.uky.edu/%7Ejohnr/AnyForm2/> on your web server, any client can run arbitrary commands under the server UID. Affected versions: all versions Explanation: "AnyForm" passes form data to a system call without performing sanity checks. To exploit, create a form with a hidden field something like this: <input type="hidden" name="AnyFormTo" value="foo@bar.com;command-to-execute with whatever arguments;/usr/lib/sendmail -t foo@bar.com "> Then submit the form to the "AnyForm" CGI on the server to be attacked. The value of this parameter is passed to this code: SystemCommand="/usr/lib/sendmail -t " + AnyFormTo + " <" + CombinedFileName; system(SystemCommand); Since system invokes a shell, the semicolons are treated as command delimeters and anything can be inserted. CGI authors, PLEASE make sure you understand security issues before releasing general purpose code to the public. I have seen variations on this mistake in more code than I care to recount. I emailed the author with this information Saturday, but I have not yet heard back, and I am not one to sit on security holes. I have no idea how widely this code is being used, but I have seen discussion on at least a couple newsgroups, so this is going out to several newsgroups and mailing list. Please send any followups to comp.infosystems.www.authoring.cgi. Regards, -- Paul Phillips | "Click _here_ if you do not <URL:mailto:paulp@cerf.net> | have a graphical browser" <URL:http://www.primus.com/staff/paulp/> | -- Canter and Siegel, on <URL:pots://619-220-0850/hello/is/paul/there> | their short-lived web site