[NEWS] Directory Traversal vulnerability in sendform.cgi

From: support@securiteam.com
Date: 07/31/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 31 Jul 2002 13:04:33 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Directory Traversal vulnerability in sendform.cgi
------------------------------------------------------------------------

SUMMARY

Rod Clark's <http://www.scn.org/~bb615/scripts/sendform.html>
sendform.cgi is a CGI program that reads form data and sends it to a
program-specified administrator. An optional capability can send
additional "blurb files" to the e-mail address that is provided in the
form.

Unfortunately, any remote attacker can use sendform.cgi to read arbitrary
files with the privileges of the web server by modifying the BlurbFilePath
parameter to reference the desired files.

DETAILS

Vulnerable systems:
 * Sendform versions 1.4.4 and earlier, primarily before 1.4

Immune systems:
 * Sendform version 1.45

When sendform.cgi is used to notify a user that their form has been
submitted, it can read "blurb files" from the web server and send them in
an email to the user. A remote attacker can manipulate the BlurbFilePath
parameter to identify any target file (or set of files) on the web server,
such as /etc/passwd. The "email" parameter can then be modified to point
to the attacker's own email address, and the SendCopyToUser parameter set
to "yes". When the attacker submits the full request to sendform.cgi, a
copy of the target file will be sent to the attacker. There may be
alternate attack vectors that do not require the SendCopyToUser parameter.

If the attacker can write files to the web server running sendform.cgi,
then the attacker can fully control the content of the e-mail message and
send it to arbitrary e-mail addresses. Since other form fields such as the
subject line are under attacker control, sendform.cgi could then be used
as a "spam proxy", in a fashion similar to the well-known vulnerability in
formmail.pl.

The filename that is provided to BlurbFilePath does not have to contain
'..' characters to escape the web root. An absolute pathname will also
work. Since sendform.cgi only allows a small range of characters, plus the
'..' and '/', the attacker cannot execute commands via shell
metacharacters, or redirect output to other files.

It should be noted that there appear to be multiple programs named
"sendform.cgi", including custom CGI scripts, which are unrelated to the
product being discussed in this advisory.

Solution:
Upgrade to the current version, found at:
 <http://www.scn.org/~bb615/scripts/sendform.html>
http://www.scn.org/~bb615/scripts/sendform.html

The only feasible workaround is to disable the Blurb File feature by
commenting out calls to the functions MailFirstBlurbFile() and
MailOtherBlurbFiles().

ADDITIONAL INFORMATION

The information has been provided by <mailto:coley@linus.mitre.org>
Steven M. Christey.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages