MCI Data Systems Division
 
                        internetMCI Security Group
                          MCI Telecommunications
 
                      internetMCI Engineering Department
 
                            MIIGS / MEALS Alert
 
===============================================================================================
 
Report Name: WWW CGI Security Alert
Report Number: iMCISE:MIIGSWWWCGI:080195:01:P1R1
Report Date: 08/01/95 
Report Format: Formal
Report Classification: None
Report Priority: Urgent
Report Distribution: MIIGS (MCI Internal Internet Gateway Security) /
                     MEALS (MCI Emergancy Alert List)  
                     (names on file)
 
----------------------------------------------------------------------------

--- Begin Included Message ---

>From: Paul Phillips <paulp@cerf.net>
Subject: SECURITY HOLE: "AnyForm" CGI
===========================================================================

Problem: If you are running the "AnyForm" CGI program, available at
<URL:http://www.uky.edu/%7Ejohnr/AnyForm2/> on your web server, any
client can run arbitrary commands under the server UID.

Affected versions: all versions

Explanation: "AnyForm" passes form data to a system call without
performing sanity checks.  To exploit, create a form with a hidden 
field something like this:

<input type="hidden" name="AnyFormTo" value="foo@bar.com;command-to-execute
with whatever arguments;/usr/lib/sendmail -t foo@bar.com ">

Then submit the form to the "AnyForm" CGI on the server to be attacked.
The value of this parameter is passed to this code:

  SystemCommand="/usr/lib/sendmail -t " + AnyFormTo + " <" + CombinedFileName;
  system(SystemCommand);

Since system invokes a shell, the semicolons are treated as command
delimeters and anything can be inserted.  CGI authors, PLEASE make sure
you understand security issues before releasing general purpose code
to the public.  I have seen variations on this mistake in more code
than I care to recount.

I emailed the author with this information Saturday, but I have not
yet heard back, and I am not one to sit on security holes.  I have no
idea how widely this code is being used, but I have seen discussion on
:
at least a couple newsgroups, so this is going out to several newsgroups 
and mailing list.  

Please send any followups to comp.infosystems.www.authoring.cgi.

Regards,

--
Paul Phillips                                 | "Click _here_ if you do not
<URL:mailto:paulp@cerf.net>                   |  have a graphical browser"
<URL:http://www.primus.com/staff/paulp/>      |  -- Canter and Siegel, on
<URL:pots://619-220-0850/hello/is/paul/there> |  their short-lived web site



----- End Included Message -----

                         "Success through teamwork"
===============================================================================
Dale Drew                                                MCI Telecommunications
Manager                                                    internetMCI Security
                                                                    Engineering
Voice:  703/715-7058                                    Internet: ddrew@mci.net
Fax:    703/715-7066                                MCIMAIL: Dale_Drew/644-3335