Date:         Tue, 4 Aug 1998 07:41:24 -0700
Reply-To:     dod@muenster.net
From:         Tom <dod@MUENSTER.NET>
Subject:      remote exploit in faxsurvey cgi-script

Hi!

There exist a bug in the 'faxsurvey' CGI-Script, which allows an attacker to
execute any command s/he wants with the permissions of the HTTP-Server.

All the attacker has to do is type
"http://joepc.linux.elsewhere.org/cgi-bin/faxsurvey?/bin/cat%20/etc/passwd"
in his favorite Web-Browser to get a copy of your Password-File.

All S.u.S.E. 5.1 and 5.2 Linux Dist. (and I think also older ones) with the
HylaFAX package installed are vulnerable to this attack.

AFAIK the problem exists in the call of 'eval'.

I notified the S.u.S.E. team (suse.de) about that problem. Burchard
Steinbild <bs@suse.de> told me, that they have not enough time to fix that
bug for their 5.3 Dist., so they decided to just remove the script from the
file list.

I advise you to *immediately* remove/chown the cgi-script; script-kiddies
will just rewrite their 'phfscan'...

Bye,
        Tom

PS: Look at my homepage for more informations about my packetfilter
analyser.

-----------------------------------------------------------------------------

Date:         Tue, 4 Aug 1998 07:43:42 -0700
From:         Tom <dod@MUENSTER.NET>
Organization: Dungeon of Doom
Subject:      PATCH: faxsurvey

Hi.

Here comes the patch for the 'faxsurvey' cgi-script.
The problem is the quotation marks for the 'eval' command.
Will they ever learn?

Don't forget to remove/chown 'faxsurvey.orig' after patching.

Cheers
        Tom

--- faxsurvey.orig      Mon Dec  1 01:05:47 1997
+++ faxsurvey   Fri Jul 31 11:59:21 1998
@@ -44,7 +44,7 @@
 #
 # Be careful here.
 #
-eval `$ECHO "$QUERY_STRING" | $UNQUOTE -qn | $SED 's/PATH=[^;]*;//g'`
+eval "ECHO "$QUERY_STRING" | $UNQUOTE -qn | $SED 's/PATH=[^;]*;//g'"

 echoMail()
 {


[EOM]