[808] in WWW Security List Archive
Re: SECURITY HOLE: FormMail
daemon@ATHENA.MIT.EDU (Michael Kerr)
Thu Aug 3 14:51:30 1995
Date: Thu, 3 Aug 1995 09:46:35 -0400 (EDT)
From: Michael Kerr <mkerr@largnet.uwo.ca>
To: Paul Phillips <paulp@cerf.net>
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <199508030428.VAA19258@nic.cerf.net>
Errors-To: owner-www-security@ns2.rutgers.edu
On Wed, 2 Aug 1995, Paul Phillips wrote:
> In article <DCpnJ9.4Kq@k12.colostate.edu> mattw@alpha.pr1.k12.co.us
> (Matthew M. Wright) writes:
> >My script at:
> >
> >http://alpha.pr1.k12.co.us/~mattw/scripts.html
> >
> >called FormMail does this exact thing. It works pretty much on any form and
> >you just have to specify the email address of yourself in a hidden field in
> >the form. I don't think that this script has a security whole in it as
> >mentioned in a previous posting about a program called AnyForm. It pipes the
> >information to you in a different way. Of course if there was anyone who
> >wanted to check this I don't think it would hurt.
>
> Okay folks, you know the drill.
>
> It does have a security hole, it has the *exact* same hole that
> AnyForm did, except that it is exploited via open instead of system.
> But a shell by any other name...
>
> Here's the offending line:
>
> open (MAIL, "|$mailprog $FORM{'recipient'}") || die "Can't open $mailprog!\n";
I didn't realize until now that that was a security problem, but now I
see that you can put any text for 'recipient' and screw the works up. We
were using form-mail before, but now we're using webmonitor from NCSA
which seems to prevent this because it uses nicknames in a data file.
Mike.
=============================================================================
Michael Kerr (Webmaster) PHONE: (519) 685-8300 x7364
Victoria Hospital FAX: (519) 685-8305
World Wide Web Development Team http://www.vichosp.london.on.ca
