Bugtraq mailing list archives
Re: emumail.cgi, one more local vulnerability (not verified)
From: Leif Jakob <bugtraq () pinguin weite-welt com>
Date: Wed, 10 Apr 2002 17:58:52 +0200
On Thu, Apr 04, 2002 at 03:17:16AM +0200, acidneo () altern org wrote: Hi, I found one more local exploit (not verified)
name : emumail.cgi date : 04/04/2002 description : EMU Webmail: how to check your email from the web. severity : Low/average-risk homepage : www.emumail.com Any user can view files on the remote system:
here are the "nice" source fragments from emumail.cgi (just downloaded it from their website): -------------------- CUT HERE -------------------- my $http_host = lc $ENV{'HTTP_HOST'}; if ( -e "$http_host.init" ) { open(INI, "$http_host.init") || debug "Can't open $http_host.init! : $! "; <INI> =~ /page_root\s*=\s*(\S+)/m; close(INI); $page_root = $1; } ... open (IN, "$page_root/....."); -------------------- CUT HERE -------------------- all you need is send a HTTP-Host like "../../../../../tmp/evil", place a config file with the new pageroot "|/tmp/evilprog " and you hijacked the cgi-user on the next open call. I know it's a lame local only, but I guess that perl-script has more "nice" things you can work on. Cheers Leif PS.: Why the hell do they encrypt their source?
Current thread:
- emumail.cgi acidneo (Apr 04)
- Re: emumail.cgi Tom Micklovitch (Apr 05)
- Re: emumail.cgi, one more local vulnerability (not verified) Leif Jakob (Apr 10)
- <Possible follow-ups>
- Re: emumail.cgi N|ghtHawk (Apr 05)
- Re: emumail.cgi MegaHz (Apr 08)
- Re: emumail.cgi Randal L. Schwartz (Apr 09)
- Re: emumail.cgi MegaHz (Apr 08)