18th Feb 2002 [SBWID-5109]
COMMAND
Add2It mailman allow command execution on server
SYSTEMS AFFECTED
Add2It Mailman free version 1.73 - possibly commercial version too.
PROBLEM
b0iler [http://b0iler.advknowledge.net]found following, on add2it
Mailman, a mailing list management tool
(http://www.add2it.com/scripts/mailman-free.shtml ):
The problem is that the script does not filter input well:
$command = $ENV{\'QUERY_STRING\'};
($list, $email) = split(/=/,$command);
and then the script makes an open() call based on input from the user:
open(LIST, \"${path}data/lists/$list\");
There is also open()s with > and >> which use $list The way to exploit
this to write to a file would be:
../../../../file=data@to.write
or for command execution:
../../../../bin/command|=blah@bleh.com
This exploit is for the free version of Add2it Mailman, but the same
vulnerability is probably valid for the paid for version.
SOLUTION
Fix: filter meta characters and .. and use < << > >> with
open()
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
