Name: W3Mail 1.0.2 Personal and Commercial Version Author: Spencer Miles Problem: Script doesnt check for special metacharacters like &;`'\"|*?~<>^()[]{}$\n\r. Any webmail user can execute *nix commands on webserver. Exploit: On any field at "Compose Message", put something like: (Recipient example) fooat_private"; `/bin/touch /tmp/foobar`; $foo = "bar Fix: Filter this metacharacters on sendmessage.cgi and others.. []s --corb -- Lord, grant me the serenity to accept the things I cannot change, the courage to change the things I can, and the wisdom to hide the bodies of the people I had to kill because they pissed me off.
This archive was generated by hypermail 2b30 : Sat Oct 06 2001 - 23:55:02 PDT