Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: web5109.htm

Add2It mailman allow command execution on server



18th Feb 2002 [SBWID-5109]
COMMAND

	Add2It mailman allow command execution on server

SYSTEMS AFFECTED

	Add2It Mailman free version 1.73 - possibly commercial version too.

PROBLEM

	b0iler  [http://b0iler.advknowledge.net]found   following,   on   add2it
	Mailman,       a       mailing        list        management        tool
	(http://www.add2it.com/scripts/mailman-free.shtml ):
	

	The problem is that the script does not filter input well:
	

	

	$command = $ENV{\'QUERY_STRING\'};

	($list, $email) = split(/=/,$command);

	

	

	and then the script makes an open() call based on input from the user:
	

	

	open(LIST, \"${path}data/lists/$list\");

	

	

	There is also open()s with > and >> which use $list The way  to  exploit
	this to write to a file would be:
	

	

	../../../../file=data@to.write

	

	

	or for command execution:
	

	

	../../../../bin/command|=blah@bleh.com

	

	

	This exploit is for the free version of Add2it  Mailman,  but  the  same
	vulnerability is probably valid for the paid for version.

SOLUTION

	Fix: filter meta characters and .. and  use  <  <<  >  >>  with
	open()


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH