Bugtraq mailing list archives
Vuln in calender.pl (Matt Kruse calender script)
From: suid () SUID KG (suid () SUID KG)
Date: Tue May 16 14:59:12 2000
Evening, I wouldnt normally post a small thing like this to bugtraq but i checked out cgi-resources.com and it seems to be damn popular so someone here may care. Oh yeah I notified Matt (the vendor) and he figured it wasnt really an issue. Oh well. Visit www.suid.kg/advisories/ for more crap like this. suid () suid kg --cut-- suid () suid kg - Matt Kruse Calendar Script Vulnerability Software: Matt Kruse Calendar Script URL: http://www.mattkruse.com/scripts/calendar/ Version: Version 2.2 and below? Platforms: UNIX / Windows NT Type: Input Validation Failure Lame Factor: Damn High Summary: Remote users can execute arbitrary commands on the web server with the priviledge level of the httpd process. Vulnerability: Both the calender.pl and the calendar_admin.pl scripts fail to perform proper input validation. The calender_admin.pl script for example prompts the user for a configuration file to modify. Then in an attempt to authenticate the user to verify they have access to modify the specified configuration file, it passes the user input straight to perl open(). *yoink*(tm) Exploit: calender_admin.pl - easiest Assuming http://www.ownable.domain/ has calender.pl at: http://www.ownable.domain/cgi-bin/calender.pl The admin script by default is at: http://www.ownable.domain/cgi-bin/calender_admin.pl Going to that URL will result in a username/password/configuration file input fields. Ignoring username and password, enter: |<command here>| (With the pipes) in the configuration file field. e.g. |ping 127.0.0.1| Note: I notice that calender.pl does not sanitise input either and is vulnerable to an open attack but am not interested enough to write about it. Blah. Greets: duke - WHAT THE HELL!?>! horizons yowie !
Current thread:
- Re: more majordomo brokeness, (continued)
- Re: more majordomo brokeness Richard Trott (May 31)
- I think Jay Mobley (May 23)
- Re: kscd vulnerability Katherine M. Moussouris (May 25)
- Cisco Bug Esteve Espuna (May 16)
- Re: Cisco Bug James Sneeringer (May 16)
- Security Bulletins Digest (fwd) Mike Bush (May 17)
- Cisco Bug Error Log Esteve Espuna (May 16)
- CProxy v3.3 SP 2 DoS |[TDP]| (May 16)
- Banner Rotation 01 zillion (May 16)
- Re: Banner Rotation 01 Joao Pedro Gonçalves (May 17)
- Vuln in calender.pl (Matt Kruse calender script) suid () SUID KG (May 16)
- Various Lame Stuff wizdumb () LEET ORG (May 16)
- You can now track Bugtraq 24/7 with Software. Alfred Huger (May 15)
- Allmanage.pl Vulnerabilities bighawk (May 15)