// Script: CSVForm.pl v0.1 and possibly CSVFormPlus // Problem: Remote command execution // Homepage: http://www.ezscripting.com/scripts/csvform.html // Script Author: Mutasem Abudahab Overview ----------- CSVForm is a CGI Perl script designed to add records to a CSV database file. The CSV database file to be used is selected using a html hidden tag and I assume this is to allow the same script to be used within multiple forms and csv data files. This script doesn't appear to be actively maintained yet it does appear to be used on a number of web sites. Unfortunately for those who adhere to the authors request to notify him of its use, they may be particularly vulnerable if they happen to be listed under the "Check out sites using our scripts" link located on the homepage. Description of problem --------------------------- Examing the script shows that after the query is parsed and the parameter of file obtained, it is passed directly to the following code sample unfiltered. sub modify_CSV { if(open(CSV,$_[0])){ } else{ goto &produce_error( "Can't open CSV file.\n", "Please, check that you have provided the cgi script with correct CSV file", " path in the HTML form.\n" ); } Example of exploit ---------------------- http://server/cgi-bin/csvform.pl?file=COMMAND_GOES_HERE%00| Fix / workaround -------------------- Hardcode path to csv data file or apply proper input validation. Attempts to notify the author have failed as it seems his email has backlogged to the point at which no further emails are being accepted. Jason Gomes jasongat_private
This archive was generated by hypermail 2b30 : Tue Dec 11 2001 - 13:32:19 PST