LPR/LPD bugs

[paulp () CERF NET (Paul Phillips)]

Problem: If you are running the "AnyForm" CGI program, available at
<URL:http://www.uky.edu/%7Ejohnr/AnyForm2/> on your web server, any
client can run arbitrary commands under the server UID.

Affected versions: all versions

Explanation: "AnyForm" passes form data to a system call without
performing sanity checks.  To exploit, create a form with a hidden
field something like this:

<input type="hidden" name="AnyFormTo" value="foo () bar com;command-to-execute
with whatever arguments;/usr/lib/sendmail -t foo () bar com ">

Then submit the form to the "AnyForm" CGI on the server to be attacked.
The value of this parameter is passed to this code:

  SystemCommand="/usr/lib/sendmail -t " + AnyFormTo + " <" + CombinedFileName;
  system(SystemCommand);

Since system invokes a shell, the semicolons are treated as command
delimeters and anything can be inserted.  CGI authors, PLEASE make sure
you understand security issues before releasing general purpose code
to the public.  I have seen variations on this mistake in more code
than I care to recount.

I emailed the author with this information Saturday, but I have not
yet heard back, and I am not one to sit on security holes.  I have no
idea how widely this code is being used, but I have seen discussion on
at least a couple newsgroups, so this is going out to several newsgroups
and mailing list.

Please send any followups to comp.infosystems.www.authoring.cgi.

Regards,

--
Paul Phillips                                 | "Click _here_ if you do not
<URL:mailto:paulp () cerf net>                   |  have a graphical browser"
<URL:http://www.primus.com/staff/paulp/>      |  -- Canter and Siegel, on
<URL:pots://619-220-0850/hello/is/paul/there> |  their short-lived web site