AnyForm meta-characters

DOVES Vulnerability V-00101

DOVES Project
Computer Security Laboratory
Department of Computer Science
University of California at Davis


Description

Brief summary: The AnyForm package does not check its input adequately, allowing users to insert metacharacters to force remote execution of a command.

Detailed description: AnyForm passes form data to a system call without checking the input for shell meta-characters.

Components: AnyForm version 2 or earlier

Operating system(s): not knownIntruders can execute arbitrary commands with the privileges of the web server process.

How to detect:

  1. See if your system is running AnyForm version 2 or earlier. If so, you have the bug.

How to fix:

  1. You need to get rid of the offending programs.
    1. Disable the AnyForm program.
    2. Upgrade to AnyForm version 3 or greater.

Other information: none

Keywords

metacharacter, www, web server, form

Cataloguing Information

Common Vulnerability Exposure: AnyForm CGI remote execution [CVE-1999-0066]

Exploits

Attacks: See Doves exploit #101.

Related Information

The AnyForm web page is at the University of Kentucky.

Advisories:

Related DOVES entries:

History

Who reported it: Paul Phillips in Bugtraq on Mon Jul 31 1995 21:26:51

Revision #1

  1. Stacey Anderson on 6/26/2000
    Initial entry

Send email to doves@cs.ucdavis.edu

Department of Computer Science
University of California at Davis
One Shields Ave.
Davis, CA 95616-8562

Page created August 28, 2000 at 16:41:45 GMT

Dove images © 1999-2000 www.barrysclipart.com