MailMan Webmail漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106120 漏洞类型 未知
发布时间 2000-12-06 更新时间 2006-11-14
CVE编号 CVE-2001-0021 CNNVD-ID CNNVD-200102-104
漏洞平台 Unix CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/20469
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200102-104
|漏洞详情
MailManWebmail3.0.25及其早期版本存在漏洞。远程攻击者借助alternate_template参数的shell元字符执行任意命令。
|漏洞EXP
source: http://www.securityfocus.com/bid/2063/info


A vulnerability exists in 3.x versions of Endymion MailMan Webmail prior to release 3.0.26.

The widely-used Perl script provides a web-email interface.

Affected versions make insecure use of the perl open() function. Attackers can control the way open() is supposed to work and execute arbitrary commands.

These commands will be executed with the privilege level of the CGI script (commonly user 'nobody'). This vulnerability may allow remote attackers to gain interactive 'local' access on the target server. 

This will execute and echo back the uid.

/mmstdod.cgi?ALTERNATE_TEMPLATES=|%20echo%20"Content-Type:%20text%2Fhtml"%3Becho%20""%20%3B%20id%00
|参考资料

来源:BID
名称:2063
链接:http://www.securityfocus.com/bid/2063
来源:BUGTRAQ
名称:20001206(SRADV00005)RemotecommandexecutionvulnerabilitiesinMailManWebmail
链接:http://archives.neohapsis.com/archives/bugtraq/2000-12/0057.html
来源:XF
名称:mailman-alternate-templates
链接:http://xforce.iss.net/static/5649.php
来源:www.endymion.com
链接:http://www.endymion.com/products/mailman/history.htm