Re: Another cgiemail bug

From: Christopher X. Candreva (chris@westnet.com)
Date: 06/14/02


Date: Fri, 14 Jun 2002 11:30:44 -0400 (EDT)
From: "Christopher X. Candreva" <chris@westnet.com>
To: sec <vulns@sm.detack.de>

On Fri, 14 Jun 2002, sec wrote:

> Example:
> POST
>
> /cgi-bin/cgiemail?required-webmaster=xxx@xxx.com&required-from=zzz@zzz.com&
> required-subject=spam%0aCC:address1@smap.com%20address2@smap.com%20address3@smap.com&
> comments=spam%20message
>
> Simple, clear enough.

Not really. Your example is going to do nothing but generate an error, at
least under cgi-email 1.6 .

First, cgiemail requires a textfile template on the server itself as part
of the URL to run the script For example (from the cgiemail home page,
cgiecho is the test program):

<FORM METHOD="POST"
 ACTION="http://web.mit.edu/bin/cgiecho/wwwdev/cgiemail/questions3.txt">

In this case it's using a template file on the server in the directory
wwwdev/cgiemail called questions3.txt
Without such a file it generates an error. There is no template refereced in
your example above, so the options are never even parsed (or possiby it
attmpts to open it as a file on the local system, which still won't work).

In the specific case where there is an e-mail template on the server that
takes a field called required-subject and uses it in the Subject: line, then
your exploit may work in theory, though you would have to know the location
of this file and add it to your example.

Yes, the location of the template will be in any forms that use it. However,
the only way to determine if any fields are actually sent in the testing
each form to see if the template is retriveable via the web, or what fields
will be in the headers of a generated e-mail seems to me to be non-trival,
though not to say it can't be done.

While this should probably be fixed, this is not going to be immediately
exploitable on every cgiemail binary.

==========================================================
Chris Candreva -- chris@westnet.com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/



Relevant Pages

  • Re: problem with RWW
    ... But they can access OWA directly. ... network configuration of the SBS 2k3 server. ... were created by using a template. ... can the new user access OWA through RWW? ...
    (microsoft.public.windows.server.sbs)
  • [Full-Disclosure] NOVL-2005-10096251 GroupWise WebAccess error handling modules (report)
    ... GroupWise 6.5, GroupWise 6.5 WebAccess ... Vendor Name: Novell, Inc. ... The server is not granting access to private files, ... Read only access to template files are allowed, ...
    (Full-Disclosure)
  • Re: Is this possible? Session sharing etc.
    ... automate Word on the web server. ... >supports saving in XML format, that is Word ML and Excel ML. ... >the browser nowadays with content type "application/ms.excel". ... >>>- Have a template, which is hosted on the Web Server. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Activacting Out of Office Assistant with a Pop 3 Server
    ... thank you for your assistance and detailed info! ... >> server and not an Exchange Server. ... > save it as a template. ... > When you're using Rules wizard, you aren't limited to only OOF replies. ...
    (microsoft.public.outlook.installation)
  • Re: Custom Template to override Normal.dot?
    ... If you are going to be a professional tech person, ... server, and mirrors it slowly at that. ... > custom template overrode the Normal.dot template. ...
    (microsoft.public.word.newusers)