Hi! There exist a bug in the 'faxsurvey' CGI-Script, which allows an attacker to execute any command s/he wants with the permissions of the HTTP-Server. All the attacker has to do is type "http://joepc.linux.elsewhere.org/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd" in his favorite Web-Browser to get a copy of your Password-File. All S.u.S.E. 5.1 and 5.2 Linux Dist. (and I think also older ones) with the HylaFAX package installed are vulnerable to this attack. AFAIK the problem exists in the call of 'eval'. I notified the S.u.S.E. team (suse.de) about that problem. Burchard Steinbild <bsat_private> told me, that they have not enough time to fix that bug for their 5.3 Dist., so they decided to just remove the script from the file list. I advise you to *immediately* remove/chown the cgi-script; script-kiddies will just rewrite their 'phfscan'... Bye, Tom PS: Look at my homepage for more informations about my packetfilter analyser.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:11:13 PDT