faxsurvey.txt

`Date: Tue, 4 Aug 1998 07:41:24 -0700  
Reply-To: [email protected]  
From: Tom <[email protected]>  
Subject: remote exploit in faxsurvey cgi-script  
  
Hi!  
  
There exist a bug in the 'faxsurvey' CGI-Script, which allows an attacker to  
execute any command s/he wants with the permissions of the HTTP-Server.  
  
All the attacker has to do is type  
"http://joepc.linux.elsewhere.org/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd"  
in his favorite Web-Browser to get a copy of your Password-File.  
  
All S.u.S.E. 5.1 and 5.2 Linux Dist. (and I think also older ones) with the  
HylaFAX package installed are vulnerable to this attack.  
  
AFAIK the problem exists in the call of 'eval'.  
  
I notified the S.u.S.E. team (suse.de) about that problem. Burchard  
Steinbild <[email protected]> told me, that they have not enough time to fix that  
bug for their 5.3 Dist., so they decided to just remove the script from the  
file list.  
  
I advise you to *immediately* remove/chown the cgi-script; script-kiddies  
will just rewrite their 'phfscan'...  
  
Bye,  
Tom  
  
PS: Look at my homepage for more informations about my packetfilter  
analyser.  
  
-----------------------------------------------------------------------------  
  
Date: Tue, 4 Aug 1998 07:43:42 -0700  
From: Tom <[email protected]>  
Organization: Dungeon of Doom  
Subject: PATCH: faxsurvey  
  
Hi.  
  
Here comes the patch for the 'faxsurvey' cgi-script.  
The problem is the quotation marks for the 'eval' command.  
Will they ever learn?  
  
Don't forget to remove/chown 'faxsurvey.orig' after patching.  
  
Cheers  
Tom  
  
--- faxsurvey.orig Mon Dec 1 01:05:47 1997  
+++ faxsurvey Fri Jul 31 11:59:21 1998  
@@ -44,7 +44,7 @@  
#  
# Be careful here.  
#  
-eval `$ECHO "$QUERY_STRING" | $UNQUOTE -qn | $SED 's/PATH=[^;]*;//g'`  
+eval "ECHO "$QUERY_STRING" | $UNQUOTE -qn | $SED 's/PATH=[^;]*;//g'"  
  
echoMail()  
{  
  
  
[EOM]  
`