On Thu, Apr 04, 2002 at 03:17:16AM +0200, [EMAIL PROTECTED] wrote:
Hi,
I found one more local exploit (not verified)
> name : emumail.cgi
> date : 04/04/2002
> description : EMU Webmail: how to check your email
> from the web.
> severity : Low/average-risk
> homepage : www.emumail.com
>
> Any user can view files on the remote system:
here are the "nice" source fragments from emumail.cgi (just downloaded
it from their website):
-------------------- CUT HERE --------------------
my $http_host = lc $ENV{'HTTP_HOST'};
if ( -e "$http_host.init" ) {
open(INI, "$http_host.init") || debug "Can't open $http_host.init! : $! ";
<INI> =~ /page_root\s*=\s*(\S+)/m;
close(INI);
$page_root = $1;
}
...
open (IN, "$page_root/.....");
-------------------- CUT HERE --------------------
all you need is send a HTTP-Host like "../../../../../tmp/evil", place
a config file with the new pageroot "|/tmp/evilprog " and you hijacked
the cgi-user on the next open call.
I know it's a lame local only, but I guess that perl-script has more
"nice" things you can work on.
Cheers
Leif
PS.: Why the hell do they encrypt their source?
