[24284] in bugtraq
Add2it Mailman command execution
daemon@ATHENA.MIT.EDU (b0iler _)
Thu Feb 14 18:52:53 2002
From: "b0iler _" <b0iler@hotmail.com>
To: bugtraq@securityfocus.com
Date: Wed, 13 Feb 2002 17:57:32 -0700
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F280XsOwYEIEktho3sD000161c2@hotmail.com>
#!/exploit/by/b0iler
#
#Add2it Mailman Free V1.73
#script url: http://www.add2it.com/scripts/mailman-free.shtml
The problem is that the script does not filter input well:
$command = $ENV{'QUERY_STRING'};
($list, $email) = split(/=/,$command);
and then the script makes an open() call based on input from the user:
open(LIST, "${path}data/lists/$list");
There is also open()s with > and >> which use $list
The way to exploit this to write to a file would be:
../../../../file=data@to.write
or for command execution:
../../../../bin/command|=blah@bleh.com
This exploit is for the free version of Add2it Mailman, but the same
vulnerability is probably valid for the paid for version.
Fix: filter meta characters and .. and use < << > >> with open()
Author was contacted on 1/30/02 and replied that day stating the problem
would be fixed in the next release. Which should be out by the time of this
posting, although I haven't gotten any word about it's release yet.
-http://b0iler.advknowledge.net
_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx
