Re: emumail.cgi, one more local vulnerability (not verified)

[Leif Jakob <bugtraq () pinguin weite-welt com>]

On Thu, Apr 04, 2002 at 03:17:16AM +0200, acidneo () altern org wrote:

Hi, 

I found one more local exploit (not verified)

> name            : emumail.cgi
> date            : 04/04/2002
> description     : EMU Webmail: how to check your email
> from the web. 
> severity        : Low/average-risk
> homepage        : www.emumail.com
>
> Any user can view files on the remote system:

here are the "nice" source fragments from emumail.cgi (just downloaded
it from their website):

-------------------- CUT HERE --------------------
my $http_host = lc $ENV{'HTTP_HOST'};

if ( -e "$http_host.init" ) {
  open(INI, "$http_host.init") || debug "Can't open $http_host.init! : $! ";
  <INI> =~ /page_root\s*=\s*(\S+)/m;
  close(INI);
  $page_root = $1;
}

...

open (IN, "$page_root/.....");
-------------------- CUT HERE --------------------

all you need is send a HTTP-Host like "../../../../../tmp/evil", place
a config file with the new pageroot "|/tmp/evilprog " and you hijacked
the cgi-user on the next open call.

I know it's a lame local only, but I guess that perl-script has more
"nice" things you can work on.

Cheers

Leif

PS.: Why the hell do they encrypt their source?