[22805] in bugtraq
Bug found at W3Mail Webmail
daemon@ATHENA.MIT.EDU (Emanuel Almeida)
Sun Oct 7 03:00:30 2001
Date: Sun, 7 Oct 2001 02:32:31 -0200 (BRST)
From: Emanuel Almeida <corb@sekure.org>
To: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.21.0110070231120.13943-100000@unreal.sekure.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Name: W3Mail 1.0.2 Personal and Commercial Version
Author: Spencer Miles
Problem: Script doesnt check for special metacharacters like
&;`'\"|*?~<>^()[]{}$\n\r. Any webmail user can execute *nix
commands on webserver.
Exploit:
On any field at "Compose Message", put something like:
(Recipient example)
foo@bar.com"; `/bin/touch /tmp/foobar`; $foo = "bar
Fix:
Filter this metacharacters on sendmessage.cgi and others..
[]s
--corb
--
Lord, grant me the serenity to accept the things I cannot
change, the courage to change the things I can, and the
wisdom to hide the bodies of the people I had to kill because
they pissed me off.
