Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Add2it Mailman command execution

From: "b0iler _" <b0iler () hotmail com>
Date: Wed, 13 Feb 2002 17:57:32 -0700
#!/exploit/by/b0iler
#
#Add2it Mailman Free V1.73
#script url: http://www.add2it.com/scripts/mailman-free.shtml

The problem is that the script does not filter input well:

$command = $ENV{'QUERY_STRING'};
($list, $email) = split(/=/,$command);

and then the script makes an open() call based on input from the user:

open(LIST, "${path}data/lists/$list");

There is also open()s with > and >> which use $list
The way to exploit this to write to a file would be:

../../../../file=data@to.write

or for command execution:

../../../../bin/command|=blah () bleh com
This exploit is for the free version of Add2it Mailman, but the same vulnerability is probably valid for the paid for version. 

Fix: filter meta characters and .. and use < << > >> with open()
Author was contacted on 1/30/02 and replied that day stating the problem would be fixed in the next release. Which should be out by the time of this posting, although I haven't gotten any word about it's release yet. 

-http://b0iler.advknowledge.net



_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
Previous By Date Next
Previous By Thread Next

Current thread: