COMMAND

	CSVForm.pl remote command execution

SYSTEMS AFFECTED

	CSVForm.pl V0.1 possibly CSVFormPlus

PROBLEM

	Jason Gomes posted :
	

	CSVForm is a CGI Perl script designed to add records to a  CSV  database
	file. The CSV database file to be used is selected using a  html  hidden
	tag and I assume this is to allow the same  script  to  be  used  within
	multiple forms and csv data files. This script  doesn\'t  appear  to  be
	actively maintained yet it does appear to be used on  a  number  of  web
	sites. Unfortunately for those who adhere  to  the  authors  request  to
	notify him of its use, they  may  be  particularly  vulnerable  if  they
	happen to be listed under the \"Check  out  sites  using  our  scripts\"
	link located on the homepage.
	

	 Description of problem

	 ----------------------

	Examing the script  shows  that  after  the  query  is  parsed  and  the
	parameter of file obtained, it is passed directly to the following  code
	sample unfiltered.
	 

	sub modify_CSV

	{

	if(open(CSV,$_[0])){

	 }

	 else{

	        goto &produce_error(

	                \"Can\'t open CSV file.\\n\",

	                \"Please, check that you have provided the cgi script with

	correct CSV file\",

	                \" path in the HTML form.\\n\"

	                );

	        }

	

	

	 Example of exploit

	 ------------------

	 

	http://server/cgi-bin/csvform.pl?file=COMMAND_GOES_HERE%00|

	

SOLUTION

	Hardcode path to csv data file or apply proper input validation.