Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: faxsurvy.txt

faxsurvey - Remote exploit for the faxsurvey CGI that comes with Hylafax.

[ ]

Date:         Tue, 4 Aug 1998 07:41:24 -0700
From:         Tom <dod@MUENSTER.NET>
Subject:      remote exploit in faxsurvey cgi-script


There exist a bug in the 'faxsurvey' CGI-Script, which allows an attacker to
execute any command s/he wants with the permissions of the HTTP-Server.

All the attacker has to do is type
in his favorite Web-Browser to get a copy of your Password-File.

All S.u.S.E. 5.1 and 5.2 Linux Dist. (and I think also older ones) with the
HylaFAX package installed are vulnerable to this attack.

AFAIK the problem exists in the call of 'eval'.

I notified the S.u.S.E. team ( about that problem. Burchard
Steinbild <> told me, that they have not enough time to fix that
bug for their 5.3 Dist., so they decided to just remove the script from the
file list.

I advise you to *immediately* remove/chown the cgi-script; script-kiddies
will just rewrite their 'phfscan'...


PS: Look at my homepage for more informations about my packetfilter


Date:         Tue, 4 Aug 1998 07:43:42 -0700
From:         Tom <dod@MUENSTER.NET>
Organization: Dungeon of Doom
Subject:      PATCH: faxsurvey


Here comes the patch for the 'faxsurvey' cgi-script.
The problem is the quotation marks for the 'eval' command.
Will they ever learn?

Don't forget to remove/chown 'faxsurvey.orig' after patching.


--- faxsurvey.orig      Mon Dec  1 01:05:47 1997
+++ faxsurvey   Fri Jul 31 11:59:21 1998
@@ -44,7 +44,7 @@
 # Be careful here.
-eval `$ECHO "$QUERY_STRING" | $UNQUOTE -qn | $SED 's/PATH=[^;]*;//g'`
+eval "ECHO "$QUERY_STRING" | $UNQUOTE -qn | $SED 's/PATH=[^;]*;//g'"



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH