remote exploit in faxsurvey cgi-script


Tom (dod@muenster.net)
Tue, 4 Aug 1998 07:41:24 -0700


> ----------
> From: Tom[SMTP:DOD@MUENSTER.NET]
> Sent: Tuesday, August 04, 1998 7:41:24 AM
> To: BUGTRAQ@NETSPACE.ORG
> Subject: remote exploit in faxsurvey cgi-script
> Auto forwarded by a Rule
>
Hi!

There exist a bug in the 'faxsurvey' CGI-Script, which allows an
attacker to execute any command s/he wants with the
permissions of the HTTP-Server.

All the attacker has to do is type
"http://joepc.linux.elsewhere.org/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd"
in his favorite Web-Browser to get a copy of your Password-File.

All S.u.S.E. 5.1 and 5.2 Linux Dist. (and I think also older ones) with
the HylaFAX package installed are vulnerable to this attack.

AFAIK the problem exists in the call of 'eval'.

I notified the S.u.S.E. team (suse.de) about that problem.
Burchard Steinbild <bs@suse.de> told me, that they have not enough time
to fix that bug for their 5.3 Dist., so they decided to just remove the
script from the file list.

I advise you to *immediately* remove/chown the cgi-script;
script-kiddies will
just rewrite their 'phfscan'...

Bye,
        Tom

PS: Look at my homepage for more informations about my packetfilter
analyser.



This archive was generated by hypermail 2.0b3 on Fri Nov 20 1998 - 10:54:32 PST