[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Unsafe passing of variables to mailform.pl in MailForm V2.0 For Unix or NT

Title: Unsafe passing of variables to mailform.pl in MailForm V2.0 For Unix or NT
Released by: Karl Hanmore
Date: 11th September 2000
Printable version: Click here
Title: Unsafe passing of variables to mailform.pl in MailForm V2.0 For

Unix or NT

Advisory Author: Karl Hanmore 

Script URL: http://rlaj.com/scripts/mailform

Script Author: Ranson Johnson

Advisory Released: 11 September 2000

Vendor notified: support@rlaj.com 05 Sept. 2000

Disclaimer: This information is provided AS IS.  Neither myself, my

employer or any other organisation or person warrant the information

supplied herein. In no instance will myself or any other organisation

I am involved accept responsibility for any damage or injury caused as

a result of the use of any information provided herein.  This

information is provided for education use only, and to allow

potentially effected persons to more adequatly secure their systems.

Vunerable: Tested version, current version as distributed on website

on 05 September 2000.

Overview:  This script provides a way in which the user of the script

can be provided with specific information.  Files may also be

attached.  By making a copy of the form source and modifying the

XX-attach_file variable, a user may mail himself a copy of any file

readable by uid of the running cgi process.

Impact: Abuse of this vunerability allows a would be attacker to gain

copies of files on the system, possibly enabling leverage of such for

further vunerabilities.

Detail: The script will happily forward the file listed in the

XX-attach_file variable as passed from the form.  This file can be any

file that can be read by the uid of the running cgi process.  It

should be noted that numerous other variables are passed as hidden

fields, and it is most likely that some of these may be levered to

cause problems.

Fix: Use of hidden fields should be avoided where ever possible.

Vairables such as the system type, file to be sent etc should be

configured within the cgi itself, not passed to the cgi as hidden

fields.  This script should be majorly re-written to avoid these

issues, and a detailed fix is outside of the scope of this advisory.

It is recomended that use of this script be avoided until the vendor

has addressed these issues.  The script author has addressed several

issues promptly after being contacted regarding this problems,

however, it is the belief of the author of this advisory that

there may still be some outstanding issues relating to configuration

information being passed via hidden form fields.

Patch: None provided - extensive re-write of script required to ensure

better security.  It should be noted that the script author has

already addressed some of the issues raised, including adding a

referer check into the script.

(C) 1999-2000 All rights reserved.