[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Poor variable checking in mailto.cgi

Title: Poor variable checking in mailto.cgi
Released by: Karl Hanmore
Date: 11th September 2000
Printable version: Click here
Title: Poor variable checking in mailto.cgi (Mail - Credit Card Combo

Mail-to and Credit Card program)

Advisory Author: Karl Hanmore 

Script URL: http://rlaj.com/scripts/mailto/

Script Author: Ranson Johnson

Advisory Released: 11 September 2000

Vendor notified: support@rlaj.com 05 Sept. 2000

Disclaimer: This information is provided AS IS.  Neither myself, my

employer or any other organisation or person warrant the information

supplied herein. In no instance will myself or any other organisation

I am involved accept responsibility for any damage or injury caused as

a result of the use of any information provided herein.  This

information is provided for education use only, and to allow

potentially effected persons to more adequatly secure their systems.

Vunerable: Tested version, current version as distributed on website

on 05 September 2000.

Overview:  This script provides for a feedback / credit card order to

be emailed to the site admin.  This script also provides a reply to

the person submitting the form.  A malicious user can use a misformed

email address to execute arbitary commands on the web server.

Impact: Abuse of this vunerability allows running of arbitary commands

as the user id of the running cgi process.  This could potentially be

used to delete or modify files, or provide copies of arbitary files

via email to an attacker.

Detail: The "emailadd" field from the form is used directly in

conjunction with a piped open.  This allows an attacker to execute

arbitary commands by choosing the value of the email address


Fix:  Input checking should be performed to ensure only valid

characters are contained within the email address.  User supplied

variables should not be passed to system, piped open's or other such

executable operations.  Patch provided below to perform redimentary

address checking and avoid passing user input to piped open.  It is

believed that this has been addressed immediately by the script author

upon notification of the problem, and that new versions should already

be updated accordingly.

Patch: See above disclaimer.  This patch is provided AS IS, however,

the advisory author believes this should remedy the problem as



Karl Hanmore

Email: karl@system-administrator.net

(C) 1999-2000 All rights reserved.