[8487] in bugtraq
Re: Several new CGI vulnerabilities
daemon@ATHENA.MIT.EDU (Lincoln Stein)
Tue Nov 10 16:14:32 1998
Date: Tue, 10 Nov 1998 14:43:27 -0500
Reply-To: lstein@cshl.org
From: Lincoln Stein <lstein@CSHL.ORG>
X-To: Gus <angus@INTASYS.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.95.981110143446.915B-100000@victim.intasys.com>
Gus writes:
> On Mon, 9 Nov 1998, xnec wrote:
> >
> > EXPLOIT:
> >
> > Each of these are exploitable by inputing metacharacters into the
> > recipient's email address. Each script calls something similar
> > to:
> >
> > open( MAIL, "|$mailprog $email" )
>
> This is one that just won't go away, and rather than try the (frankly
> quite fruitless) metachar filtering route, it might be an idea for CGI
> providing ISP's to insist on the use of perl's Mail::Sendmail module,
> which cuts out any potential pipe/metachar related bugs by communicating
> directly w/ the SMTP server.
Net::SMTP is more likely to be installed on ISP's
machines. Mail::Sendmail is a bit of an oddball. There are also other
ways to avoid the fruitless metachar search and destroy mission.
First off, why do people think they need to put the recipient's
address on the command line in the first place?
open (MAIL,"| /usr/lib/sendmail -t -oi");
print MAIL <<END;
To: $mailto
From: me (me\@nowhere.com)
Subject: nothing much
Hi there!
END
close MAIL;
And here's a general Perl technique for opening pipes without getting
the shell involved at all:
open (MAIL,"|-") || exec '/usr/lib/sendmail','-t','-oi';
print MAIL <<END;
To: $mailto
From: me (me\@nowhere.com)
Subject: nothing much
Hi there!
END
close MAIL;
Lincoln
--
========================================================================
Lincoln D. Stein Cold Spring Harbor Laboratory
lstein@cshl.org Cold Spring Harbor, NY
========================================================================
