Bugtraq mailing list archives

Bug found at W3Mail Webmail

From: Emanuel Almeida <corb () sekure org>
Date: Sun, 7 Oct 2001 02:32:31 -0200 (BRST)

Name: W3Mail 1.0.2 Personal and Commercial Version

Author: Spencer Miles

Problem: Script doesnt check for special metacharacters like 
&;`'\"|*?~<>^()[]{}$\n\r. Any  webmail user can execute *nix 
commands on webserver.

Exploit:
On any field at "Compose Message", put something like:
(Recipient example)
foo () bar com"; `/bin/touch /tmp/foobar`; $foo = "bar

Fix:
Filter this metacharacters on sendmessage.cgi and others..


[]s

 --corb


--
Lord, grant me the serenity to accept the things I cannot
change, the courage to change the things I can, and the 
wisdom to hide the bodies of the people I had to kill because 
they pissed me off.

Current thread:

Bug found at W3Mail Webmail Emanuel Almeida (Oct 06)
- Re: Bug found in ht://Dig htsearch CGI Geoff Hutchison (Oct 08)