On Thu, Apr 04, 2002 at 03:17:16AM +0200, acidneoat_private wrote: Hi, I found one more local exploit (not verified) > name : emumail.cgi > date : 04/04/2002 > description : EMU Webmail: how to check your email > from the web. > severity : Low/average-risk > homepage : www.emumail.com > > Any user can view files on the remote system: here are the "nice" source fragments from emumail.cgi (just downloaded it from their website): -------------------- CUT HERE -------------------- my $http_host = lc $ENV{'HTTP_HOST'}; if ( -e "$http_host.init" ) { open(INI, "$http_host.init") || debug "Can't open $http_host.init! : $! "; <INI> =~ /page_root\s*=\s*(\S+)/m; close(INI); $page_root = $1; } ... open (IN, "$page_root/....."); -------------------- CUT HERE -------------------- all you need is send a HTTP-Host like "../../../../../tmp/evil", place a config file with the new pageroot "|/tmp/evilprog " and you hijacked the cgi-user on the next open call. I know it's a lame local only, but I guess that perl-script has more "nice" things you can work on. Cheers Leif PS.: Why the hell do they encrypt their source?
This archive was generated by hypermail 2b30 : Wed Apr 10 2002 - 13:33:22 PDT