Home  Services  Contact  Projects  Whitepapers  Tools 

cgimail - mail-form

download from: http://web.mit.edu/wwwdev/cgiemail/


problem description:

due to improper input validation this prog. can help you to view
manny script-source (perl,php,phyton and manny more) files within
your webserver-directories

even though cgiemail checks for "template-variables" it will reveal
any source file containing arrays and regular expressions.

sample:

---beginn part of cgiscript dumb.pl---
array[i] = "mungo";
---end part of cgiscript dumb.pl---

sample-exploit:

http://www.dubmass.com/cgiemail/cgi-bin/dumb.pl?i=0

(notice the i-parameter and check the variable-format of cgiemail :)

yup


RC-EOF


Home  Services  Contact  Projects  Whitepapers  Tools