Date: Tue, 4 Aug 1998 07:41:24 -0700
From: Tom <dod@muenster.net>
To: BUGTRAQ@netspace.org
Subject: remote exploit in faxsurvey cgi-script
Hi!
There exist a bug in the 'faxsurvey' CGI-Script, which allows an
attacker to execute any command s/he wants with the
permissions of the HTTP-Server.
All the attacker has to do is type
"http://joepc.linux.elsewhere.org/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd"
in his favorite Web-Browser to get a copy of your Password-File.
All S.u.S.E. 5.1 and 5.2 Linux Dist. (and I think also older ones) with
the HylaFAX package installed are vulnerable to this attack.
AFAIK the problem exists in the call of 'eval'.
I notified the S.u.S.E. team (suse.de) about that problem.
Burchard Steinbild <bs@suse.de> told me, that they have not enough time
to fix that bug for their 5.3 Dist., so they decided to just remove the
script from the file list.
I advise you to *immediately* remove/chown the cgi-script;
script-kiddies will
just rewrite their 'phfscan'...
Bye,
Tom
PS: Look at my homepage for more informations about my packetfilter
analyser.
