#!/exploit/by/b0iler # #Add2it Mailman Free V1.73 #script url: http://www.add2it.com/scripts/mailman-free.shtml The problem is that the script does not filter input well: $command = $ENV{'QUERY_STRING'}; ($list, $email) = split(/=/,$command); and then the script makes an open() call based on input from the user: open(LIST, "${path}data/lists/$list"); There is also open()s with > and >> which use $list The way to exploit this to write to a file would be: ../../../../file=dataat_private or for command execution: ../../../../bin/command|=blahat_private This exploit is for the free version of Add2it Mailman, but the same vulnerability is probably valid for the paid for version. Fix: filter meta characters and .. and use < << > >> with open() Author was contacted on 1/30/02 and replied that day stating the problem would be fixed in the next release. Which should be out by the time of this posting, although I haven't gotten any word about it's release yet. -http://b0iler.advknowledge.net _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
This archive was generated by hypermail 2b30 : Thu Feb 14 2002 - 15:50:28 PST