[25021] in bugtraq
Re: emumail.cgi, one more local vulnerability (not verified)
daemon@ATHENA.MIT.EDU (Leif Jakob)
Wed Apr 10 16:31:14 2002
Date: Wed, 10 Apr 2002 17:58:52 +0200
From: Leif Jakob <bugtraq@pinguin.weite-welt.com>
To: bugtraq@securityfocus.com
Message-ID: <20020410175852.A13923@pinguin.weite-welt.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20020404011112.12478.qmail@securityfocus.com>; from acidneo@altern.org on Thu, Apr 04, 2002 at 03:17:16AM +0200
On Thu, Apr 04, 2002 at 03:17:16AM +0200, acidneo@altern.org wrote:
Hi,
I found one more local exploit (not verified)
> name : emumail.cgi
> date : 04/04/2002
> description : EMU Webmail: how to check your email
> from the web.
> severity : Low/average-risk
> homepage : www.emumail.com
>
> Any user can view files on the remote system:
here are the "nice" source fragments from emumail.cgi (just downloaded
it from their website):
-------------------- CUT HERE --------------------
my $http_host = lc $ENV{'HTTP_HOST'};
if ( -e "$http_host.init" ) {
open(INI, "$http_host.init") || debug "Can't open $http_host.init! : $! ";
<INI> =~ /page_root\s*=\s*(\S+)/m;
close(INI);
$page_root = $1;
}
...
open (IN, "$page_root/.....");
-------------------- CUT HERE --------------------
all you need is send a HTTP-Host like "../../../../../tmp/evil", place
a config file with the new pageroot "|/tmp/evilprog " and you hijacked
the cgi-user on the next open call.
I know it's a lame local only, but I guess that perl-script has more
"nice" things you can work on.
Cheers
Leif
PS.: Why the hell do they encrypt their source?
