Advisories : everythingform.cgi vulnerability (remote command execution)

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : everythingform.cgi vulnerability (remote command execution)

Title:	everythingform.cgi vulnerability (remote command execution)
Released by:	rpc
Date:	12th December 2000
Printable version:	Click here

Hi All,



This is Yet Another Bad Perl Script.  everythingform.cgi uses a hidden field

'config' to determine where to read configuration data from.



--code snippit--

..

$ConfigFile = $in{config};

..

 open(CONFIG, "$configdir$ConfigFile") || &Error("I can\'t open $ConfigFile in

the ReadConfig subroutine. Reason: $!");

------------



Information regarding everythingform can be found at:

 http://www.conservatives.net/atheist/scripts/index.html?everythingform



Sample exploit:



http://www.conservatives.net/someplace/everythingform.cgi"

method=POST>

everythingform.cgi exploit

Command: 















--rpc