18th Feb 2002 [SBWID-5109]
COMMAND
Add2It mailman allow command execution on server
SYSTEMS AFFECTED
Add2It Mailman free version 1.73 - possibly commercial version too.
PROBLEM
b0iler [http://b0iler.advknowledge.net]found following, on add2it
Mailman, a mailing list management tool
(http://www.add2it.com/scripts/mailman-free.shtml ):
The problem is that the script does not filter input well:
$command = $ENV{\'QUERY_STRING\'};
($list, $email) = split(/=/,$command);
and then the script makes an open() call based on input from the user:
open(LIST, \"${path}data/lists/$list\");
There is also open()s with > and >> which use $list The way to exploit
this to write to a file would be:
../../../../file=data@to.write
or for command execution:
../../../../bin/command|=blah@bleh.com
This exploit is for the free version of Add2it Mailman, but the same
vulnerability is probably valid for the paid for version.
SOLUTION
Fix: filter meta characters and .. and use < << > >> with
open()
The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2009 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.
