|
Vulnerability Development
mailing list archives
PGPMail.pl possible remote command execution
From: John Scimone <jscimone () cc gatech edu>
Date: Thu, 29 Nov 2001 19:25:58 -0500
PGPMail.pl (http://www.venturablvd.com/pgpmail/) is a modified version of
Matt Wright's FormMail.pl meant to support PGP form mail.
I was recently looking at the code and noticed 2 questionable open() calls
that appear to be exploitable:
open (MAIL, "|$mailprog $CONFIG{'recipient'}") || die "Can't open
$mailprog!\n";
and...
$ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0 \"$CONFIG{'pgpuserid'}\" >
$pgptmp");
recipient and pgpuserid are both kept in hidden fields supplied by the client
wouldn't it be possible to just throw in a ; /bin/whatever to execute
commands with the priveledges of the webserver?
the only parsing done on the input is in these lines:
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
# If they try to include server side includes, erase them, so they
# arent a security risk if the html gets returned. Another
# security hole plugged up.
$value =~ s/<!--(.|\n)*-->//g;
$value =~ s/~!/ ~!/g; #maybe superfluos
I don't understand perl that wellso i'll leave this up to the reader to
decide whether this can be exploited successfully but your thoughts are
appreciated.
The last update to this script was done at the beginning of 2000 and it isn't
too active on the web, however there are some sites running it and this
should be looked at if it is exploitable.
John Scimone
CS Major @ Ga Tech
 By Date 
By Thread
Current thread:
- PGPMail.pl possible remote command execution John Scimone (Nov 29)
|
Intro
