Another cgiemail bug

From: sec (vulns@sm.detack.de)
Date: 06/14/02


Date: Fri, 14 Jun 2002 17:20:55 +0300 (EEST)
From: sec <vulns@sm.detack.de>
To: <bugtraq@securityfocus.com>, <vuln-dev@securityfocus.com>, <bugs@securitytracker.com>, <vulnwatch@vulnwatch.org>, <submissions@packetstormsecurity.org>


Yet another cgiemail and others bug.
Not much to report, so we'll keep it concise.
cgiemail: http://web.mit.edu/wwwdev/cgiemail/

Discussion:
It's on open relaying bug. This vulnerability affects cgiemail and a lot
of other web/mail applications, we are concentrating on cgiemail because
it is considered safe. The same kind of exploit can be performed on many
similar apps using the blessed "sendmail -t" to send the mail and avoid
the bad attacker getting a shell.

Details:
The problem is very few developers filter the new line code "%0a". When
posting data to the web/mail application, the remote user can take one of
the predefined variables and add "%0a" followed by additional fields
decoded by sendmail. For example CC: or Bcc: and so on. The result is that
the mail is going to a lot of other addresses.

Example:
POST

/cgi-bin/cgiemail?required-webmaster=xxx@xxx.com&required-from=zzz@zzz.com&
required-subject=spam%0aCC:address1@smap.com%20address2@smap.com%20address3@smap.com&
comments=spam%20message

Simple, clear enough.

------------------
Vulnerability Reporting
Detack GmbH
IT Security Audits
Alfred-Herrhausen-Str. 44 D - 58455 Witten
Phone +49 (0) 2302 / 915 - 291
Fax +49 (0) 2302 / 915 - 295
Email: vulns@detack.de
WWW: www.detack.de