mailing list archives
Unsafe passing of variables to mailform.pl in MailForm V2.0
From: Karl Hanmore <karl () SYSTEM-ADMINISTRATOR NET>
Date: Mon, 11 Sep 2000 23:00:25 +0000
Title: Unsafe passing of variables to mailform.pl in MailForm V2.0 For
Unix or NT
Advisory Author: Karl Hanmore <karl () system-administrator net>
Script URL: http://rlaj.com/scripts/mailform
Script Author: Ranson Johnson
Advisory Released: 11 September 2000
Vendor notified: support () rlaj com 05 Sept. 2000
Disclaimer: This information is provided AS IS. Neither myself, my
employer or any other organisation or person warrant the information
supplied herein. In no instance will myself or any other organisation
I am involved accept responsibility for any damage or injury caused as
a result of the use of any information provided herein. This
information is provided for education use only, and to allow
potentially effected persons to more adequatly secure their systems.
Vunerable: Tested version, current version as distributed on website
on 05 September 2000.
Overview: This script provides a way in which the user of the script
can be provided with specific information. Files may also be
attached. By making a copy of the form source and modifying the
XX-attach_file variable, a user may mail himself a copy of any file
readable by uid of the running cgi process.
Impact: Abuse of this vunerability allows a would be attacker to gain
copies of files on the system, possibly enabling leverage of such for
Detail: The script will happily forward the file listed in the
XX-attach_file variable as passed from the form. This file can be any
file that can be read by the uid of the running cgi process. It
should be noted that numerous other variables are passed as hidden
fields, and it is most likely that some of these may be levered to
Fix: Use of hidden fields should be avoided where ever possible.
Vairables such as the system type, file to be sent etc should be
configured within the cgi itself, not passed to the cgi as hidden
fields. This script should be majorly re-written to avoid these
issues, and a detailed fix is outside of the scope of this advisory.
It is recomended that use of this script be avoided until the vendor
has addressed these issues. The script author has addressed several
issues promptly after being contacted regarding this problems,
however, it is the belief of the author of this advisory that
there may still be some outstanding issues relating to configuration
information being passed via hidden form fields.
Patch: None provided - extensive re-write of script required to ensure
better security. It should be noted that the script author has
already addressed some of the issues raised, including adding a
referer check into the script.
- Unsafe passing of variables to mailform.pl in MailForm V2.0 Karl Hanmore (Sep 12)