[Previous] [Next] [Index]
[Thread]
SECURITY HOLE: "AnyForm" CGI
Problem: If you are running the "AnyForm" CGI program, available at
<URL:http://www.uky.edu/%7Ejohnr/AnyForm2/> on your web server, any
client can run arbitrary commands under the server UID.
Affected versions: all versions
Explanation: "AnyForm" passes form data to a system call without
performing sanity checks. To exploit, create a form with a hidden
field something like this:
<input type="hidden" name="AnyFormTo" value="foo@bar.com;command-to-execute
with whatever arguments;/usr/lib/sendmail -t foo@bar.com ">
Then submit the form to the "AnyForm" CGI on the server to be attacked.
The value of this parameter is passed to this code:
SystemCommand="/usr/lib/sendmail -t " + AnyFormTo + " <" + CombinedFileName;
system(SystemCommand);
Since system invokes a shell, the semicolons are treated as command
delimeters and anything can be inserted. CGI authors, PLEASE make sure
you understand security issues before releasing general purpose code
to the public. I have seen variations on this mistake in more code
than I care to recount.
I emailed the author with this information Saturday, but I have not
yet heard back, and I am not one to sit on security holes. I have no
idea how widely this code is being used, but I have seen discussion on
at least a couple newsgroups, so this is going out to several newsgroups
and mailing list.
Please send any followups to comp.infosystems.www.authoring.cgi.
Regards,
--
Paul Phillips | "Click _here_ if you do not
<URL:mailto:paulp@cerf.net> | have a graphical browser"
<URL:http://www.primus.com/staff/paulp/> | -- Canter and Siegel, on
<URL:pots://619-220-0850/hello/is/paul/there> | their short-lived web site