Home page logo
/

bugtraq logo Bugtraq mailing list archives

Add2it Mailman command execution
From: "b0iler _" <b0iler () hotmail com>
Date: Wed, 13 Feb 2002 17:57:32 -0700

#!/exploit/by/b0iler
#
#Add2it Mailman Free V1.73
#script url: http://www.add2it.com/scripts/mailman-free.shtml

The problem is that the script does not filter input well:

$command = $ENV{'QUERY_STRING'};
($list, $email) = split(/=/,$command);

and then the script makes an open() call based on input from the user:

open(LIST, "${path}data/lists/$list");

There is also open()s with > and >> which use $list
The way to exploit this to write to a file would be:

../../../../file=data () to write

or for command execution:

../../../../bin/command|=blah () bleh com

This exploit is for the free version of Add2it Mailman, but the same vulnerability is probably valid for the paid for version.

Fix: filter meta characters and .. and use < << > >> with open()

Author was contacted on 1/30/02 and replied that day stating the problem would be fixed in the next release. Which should be out by the time of this posting, although I haven't gotten any word about it's release yet.

-http://b0iler.advknowledge.net



_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx


  By Date           By Thread  

Current thread:
  • Add2it Mailman command execution b0iler _ (Feb 14)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]