Vulnerability

    Poll_It

Affected

    Poll_It cgi v2.0

Description

    Adrian Daminato found following.  The CGI is available from:

        http://www.cgi-world.com/pollit.html

    The bug takes place when calling the CGI and passing it parameters
    that overwrite settings initialized in the CGI:

        /cgi-bin/pollit/Poll_It_SSI_v2.0.cgi?data_dir=/etc/passwd%00

    Because the CGI initializes it's internal variables before parsing
    any  form  data,  and  the  method  it  uses  to  parse  form data
    overwrites internal  variables (in  this case,  $data_dir), it  is
    possible to retrieve any files readable by the webserver.

    On line 78 is the line:

        %in = &ReadForm;

    Moving it  above the  local variable  initializations to  line 66,
    causes any internally used  variables to be initialized  after the
    query is processed, therefore  insuring that correct data  is used
    for the form.

    This doesn't appear to change  the usability of the CGI,  and from
    what we can determine, doesn't create any other security  concerns
    (this fact is not 100% certain).

    Same goes for Poll_It_SSI_v2.0.cgi.

Solution

    It should be noted that the Poll_It_v2.0.cgi suffers from the same
    problem as Poll_It_SSI_v2.0.cgi.   The fix is  similar, move  line
    77 (%in = &ReadForm;) to line 66.  Poll_It_v2.0.cgi is in the same
    distro as Poll_It_SSI_v2.0.cgi.