Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: web5109.htm

Add2It mailman allow command execution on server
18th Feb 2002 [SBWID-5109]

	Add2It mailman allow command execution on server


	Add2It Mailman free version 1.73 - possibly commercial version too.


	b0iler  []found   following,   on   add2it
	Mailman,       a       mailing        list        management        tool
	( ):

	The problem is that the script does not filter input well:


	$command = $ENV{\'QUERY_STRING\'};

	($list, $email) = split(/=/,$command);



	and then the script makes an open() call based on input from the user:


	open(LIST, \"${path}data/lists/$list\");



	There is also open()s with > and >> which use $list The way  to  exploit
	this to write to a file would be:





	or for command execution:





	This exploit is for the free version of Add2it  Mailman,  but  the  same
	vulnerability is probably valid for the paid for version.


	Fix: filter meta characters and .. and  use  <  <<  >  >>  with

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH