cgiemail (included with cPanel) local file inclusion vulnerability

[Finbar Crago <finbar.crago () gmail com>]

cgiecho a script included with cgiemail will return any file under a
websites document root if the file contains square brackets and the
text within the brackets is guessable.

e.g: http://hostname/cgi-sys/cgiecho/login.php?'pass'=['pass'] will
display http://hostname/login.php if it contains $_POST['pass']

This behaviour is listed as a 'small risk' in the original
documentation (and back in 1998 it probably was). The issue is that
cgiemail is still shipped with cPanel (enabled by default) and while
they acknowledge the risks in the hosting administration panel i am
unable to find any reference to this on the hosting client side.

Considering how wide spread cPanel usage is and how easy this is to
exploit i feel it should have a little more exposure...

http://web.mit.edu/wwwdev/cgiemail/webmaster.html#security
http://documentation.cpanel.net/display/1144Docs/Tweak+Settings+-+Security#TweakSettings-Security-CGIEmailandCGIEcho

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/