Title: nph-maillist Arbitrary Code Execution Vulnerability
Severity: HIGH
Description:
nph-maillist is a Perl CGI script that handles mailing lists, typically used to notify interested users of site updates. A hostile user can enter commands embedded in an email address via the subscription form, and then force a mailing which will execute the commands.
The software does strip out the following characters commonly used on command lines: ":" "(" ")" "\" "/" as well as the space character. However, it does not check for the "`" character. This means that any of the other filtered characters that are required in the command string may be replaced with a command that will output the desired character, enclosed in "`" characters.
While nph-maillist.pl handles the administrative tasks of adding users and calling for a message to be sent, it is mailengine.pl that does the actual mailing. If mailengine.pl is specified in a GET request with the referrer field set to the maillist file on the target, the software will start mailing. In this way, the attacker can trigger the execution of their commands instead of waiting for the next mailout.
Affected Products:
- Matt Tourtillott nph-maillist 3.0.0
- Matt Tourtillott nph-maillist 3.5.0
References:
- Matt Tourtillott: The Email List Generator
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
