remote exploit in faxsurvey cgi-script

[dod () muenster net (Tom)]

Hi!

There exist a bug in the 'faxsurvey' CGI-Script, which allows an
attacker to execute any command s/he wants with the
permissions of the HTTP-Server.

All the attacker has to do is type
"http://joepc.linux.elsewhere.org/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd";
in his favorite Web-Browser to get a copy of your Password-File.

All S.u.S.E. 5.1 and 5.2 Linux Dist. (and I think also older ones) with
the HylaFAX package installed are vulnerable to this attack.

AFAIK the problem exists in the call of 'eval'.

I notified the S.u.S.E. team (suse.de) about that problem.
Burchard Steinbild <bs () suse de> told me, that they have not enough time
to fix that bug for their 5.3 Dist., so they decided to just remove the
script from the file list.

I advise you to *immediately* remove/chown the cgi-script;
script-kiddies will
just rewrite their 'phfscan'...

Bye,
        Tom

PS: Look at my homepage for more informations about my packetfilter
analyser.