Bug found at W3Mail Webmail

From: Emanuel Almeida (corbat_private)
Date: Sat Oct 06 2001 - 21:32:31 PDT

Next message: Boren, Rich (SSRT): "FW: [advisory] SSRT0767u Potential rpc.ttdbserverd buffer overflow"

Previous message: Robbie Saunders: "AIM Exploits"
Next in thread: Geoff Hutchison: "Re: Bug found in ht://Dig htsearch CGI"
Reply: Geoff Hutchison: "Re: Bug found in ht://Dig htsearch CGI"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Name: W3Mail 1.0.2 Personal and Commercial Version

Author: Spencer Miles

Problem: Script doesnt check for special metacharacters like 
&;`'\"|*?~<>^()[]{}$\n\r. Any  webmail user can execute *nix 
commands on webserver.

Exploit:
On any field at "Compose Message", put something like:
(Recipient example)
fooat_private"; `/bin/touch /tmp/foobar`; $foo = "bar

Fix:
Filter this metacharacters on sendmessage.cgi and others..


[]s

 --corb


--
Lord, grant me the serenity to accept the things I cannot
change, the courage to change the things I can, and the 
wisdom to hide the bodies of the people I had to kill because 
they pissed me off.

Next message: Boren, Rich (SSRT): "FW: [advisory] SSRT0767u Potential rpc.ttdbserverd buffer overflow"
Previous message: Robbie Saunders: "AIM Exploits"
Next in thread: Geoff Hutchison: "Re: Bug found in ht://Dig htsearch CGI"
Reply: Geoff Hutchison: "Re: Bug found in ht://Dig htsearch CGI"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Oct 06 2001 - 23:55:02 PDT