Newsgroups: comp.security.unix and quite a few others
Subject: SECURITY HOLE: "AnyForm" CGI
Followup-To: comp.infosystems.www.authoring.cgi
Date: 1 Aug 1995 04:26:49 GMT
Organization: http://www.primus.com/staff/paulp/useless.html
Problem: If you are running the "AnyForm" CGI program, available at
on your web server, any
client can run arbitrary commands under the server UID.
Affected versions: all versions
Explanation: "AnyForm" passes form data to a system call without
performing sanity checks. To exploit, create a form with a hidden
field something like this:
Then submit the form to the "AnyForm" CGI on the server to be attacked.
The value of this parameter is passed to this code:
SystemCommand="/usr/lib/sendmail -t " + AnyFormTo + " <" + CombinedFileName;
system(SystemCommand);
Since system invokes a shell, the semicolons are treated as command
delimeters and anything can be inserted. CGI authors, PLEASE make sure
you understand security issues before releasing general purpose code
to the public. I have seen variations on this mistake in more code
than I care to recount.
I emailed the author with this information Saturday, but I have not
yet heard back, and I am not one to sit on security holes. I have no
idea how widely this code is being used, but I have seen discussion on
at least a couple newsgroups, so this is going out to several newsgroups
and mailing list.
Please send any followups to comp.infosystems.www.authoring.cgi.
Regards,
--
Paul Phillips | "Click _here_ if you do not
| have a graphical browser"
| -- Canter and Siegel, on
| their short-lived web site