suid@suid.kg - mini advisory - DCFORMS98.CGI Software: DCFORMS98.CGI Vendor: dcscripts.com URL: http://www.dcscripts.com/dcforms98.shtml Version: Version 1.0 Platforms: Unix Type: Input validation problem Summary: Anyone can create / truncate any file owned by the web server user (nobody/apache/whatever). Vulnerability: The perl code does no input validation so reverse directory transversal is possible when specifying a `param_database`. Exploit: Build a HTML form resembling:
If httpd is running with UID == 0, you could easily get root by adding to the passwd file or /.rhosts. Of course you could simply send this in a POST request directly to the web server. Whatever. http://www.suid.edu/advisories/005.txt EOF