COMMAND

    jj.c

SYSTEM AFFECTED

    Systems running jj.c as CGI

PROBLEM

    jj.c is  a demo  cgi program.  It passes  unfiltered user input to
    /bin/mail. You know what that means.  Use ~ to escape to a  shell,
    etc.  The segment of the code looks like:

    if(allow) {
        char t[256];
        sprintf(t,"/bin/mail %s",JJ_FAX);
        if(!(order=popen(t,"w")))
            print_error("the server was unable to open a pipe to mail");

    For allow to be true a password must be supplied. I have seen both
    "HTTPdrocks" and "SDGROCKS"  used as default  in the source  code.
    To  make  matters  more  interesting  it  defined  the   following
    variable:

    char w[256];

    It then uses getword to fill it with user supplied data:

        getword(w,cl,'=');

    Get word is defined as:

void getword(char *word, char *line, char stop) {
    int x = 0,y;

    for(x=0;((line[x]) && (line[x] != stop));x++)
        word[x] = line[x];

    word[x] = '\0';
    if(line[x]) ++x;
    y=0;

    while(line[y++] = line[x++]);
}

    As you can  see it does  no bounds checking.  Lucky for them  that
    main calls exit before returning  or you would have a  nice buffer
    overflow.  This code  should be studied as  an example of how  NOT
    to write secure programs.  Credit for this discovery (and text)
    goes to Aleph One.

SOLUTION

    Tilde  escaping  from  /bin/mail  shouldn't  work  on  most modern
    systems  simply  because  the  /bin/mail's  I  have looked at dont
    accept  tilde  escapes  unless  the  the  input  is  coming from a
    terminal,  or  /bin/mail  is  invoked  with  -I.  If You find this
    problem bif  for You,  remove jj.c  (unless is  important to  you,
    then get qmail).