CSVForm (Perl CGI) Remote Execution Vulnerability

From: Jason Gomes (jgomes@strataone.com)
Date: 12/11/01 

From: "Jason Gomes" <jgomes@strataone.com>
To: <bugtraq@securityfocus.com>
Date: Tue, 11 Dec 2001 10:08:13 -0600

// Script: CSVForm.pl v0.1 and possibly CSVFormPlus
// Problem: Remote command execution
// Homepage: http://www.ezscripting.com/scripts/csvform.html
// Script Author: Mutasem Abudahab

Overview
-----------
CSVForm is a CGI Perl script designed to add records to a CSV database file.
The CSV database file to be used is selected using a html hidden tag and I
assume this is to allow the same script to be used within multiple forms and
csv data files.
This script doesn't appear to be actively maintained yet it does appear to
be used on a number of web sites. Unfortunately for those who adhere to the
authors request to notify him of its use, they may be particularly
vulnerable if they happen to be listed under the "Check out sites using our
scripts" link located on the homepage.

Description of problem
---------------------------
Examing the script shows that after the query is parsed and the parameter of
file obtained, it is passed directly to the following code sample
unfiltered.

sub modify_CSV
{
if(open(CSV,$_[0])){
 }
 else{
        goto &produce_error(
                "Can't open CSV file.\n",
                "Please, check that you have provided the cgi script with
correct CSV file",
                " path in the HTML form.\n"
                );
        }

Example of exploit
----------------------
http://server/cgi-bin/csvform.pl?file=COMMAND_GOES_HERE%00|

Fix / workaround
--------------------
Hardcode path to csv data file or apply proper input validation.

Attempts to notify the author have failed as it seems his email has
backlogged to the point at which no further emails are being accepted.

Jason Gomes
jasong@home.com

Relevant Pages

  • RE: problem with DBD::Oracle
    ... set environment variables in the script but it should be done at startup ... run it from the command line using the same user that runs the web ... intended recipient, please be aware that any disclosure, copying, ... sender of the delivery error by replying to this message, or notify ...
    (perl.dbi.users)
  • when lid is closed
    ... This script use a command called "vidcontrol", and I don't know and also didn't found any command with this name, more over, I also don't know what is the relation between close-the-lid and the "notify 5" inside the file ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx with a subject of "unsubscribe". ...
    (Debian-User)
  • Re: Directory watching
    ... directory and at the same time compare and notify me if the original ... The script or application runs, ... It is a backup tool, which you could run at 5 minute intervals to ...
    (Ubuntu)
  • Re: Documentation of Exchange
    ... Try sydi free script on sourceforge. ... Notify me on update* ... SYDI-Exchange is a tool for documenting MS Exchange Organizations. ...
    (microsoft.public.exchange.admin)
  • Find a line, and comment out the next 5 lines
    ... I'm trying to write a simple script which will ... it says I'm root, but how can I get the name of the user before I ... // type master; ... // notify yes; ...
    (comp.lang.perl)
Quantcast