Tom (dod@muenster.net)
Tue, 4 Aug 1998 07:41:24 -0700
> ----------
> From: Tom[SMTP:DOD@MUENSTER.NET]
> Sent: Tuesday, August 04, 1998 7:41:24 AM
> To: BUGTRAQ@NETSPACE.ORG
> Subject: remote exploit in faxsurvey cgi-script
> Auto forwarded by a Rule
>
Hi!
There exist a bug in the 'faxsurvey' CGI-Script, which allows an
attacker to execute any command s/he wants with the
permissions of the HTTP-Server.
All the attacker has to do is type
"http://joepc.linux.elsewhere.org/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd"
in his favorite Web-Browser to get a copy of your Password-File.
All S.u.S.E. 5.1 and 5.2 Linux Dist. (and I think also older ones) with
the HylaFAX package installed are vulnerable to this attack.
AFAIK the problem exists in the call of 'eval'.
I notified the S.u.S.E. team (suse.de) about that problem.
Burchard Steinbild <bs@suse.de> told me, that they have not enough time
to fix that bug for their 5.3 Dist., so they decided to just remove the
script from the file list.
I advise you to *immediately* remove/chown the cgi-script;
script-kiddies will
just rewrite their 'phfscan'...
Bye,
Tom
PS: Look at my homepage for more informations about my packetfilter
analyser.
This archive was generated by hypermail 2.0b3 on Fri Nov 20 1998 - 10:54:32 PST