[16706] in bugtraq
Fwd: Poor variable checking in mailto.cgi
daemon@ATHENA.MIT.EDU (Karl Hanmore)
Mon Sep 11 13:40:22 2000
Content-Type: multipart/mixed;boundary="'ThIs-RaNdOm-StRiNg-/=_.223896050:"
Content-Transfer-Encoding: 8bit
Mime-Version: 1.0
Message-Id: <200009111255.e8BCtfj49655@wintermute.system-administrator.net>
Date: Mon, 11 Sep 2000 22:55:41 +0000
Reply-To: Karl Hanmore <karl@SYSTEM-ADMINISTRATOR.NET>
From: Karl Hanmore <karl@SYSTEM-ADMINISTRATOR.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
--'ThIs-RaNdOm-StRiNg-/=_.223896050:
Content-Length: 2424
Content-Type: text/plain; charset=iso-8859-1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Title: Poor variable checking in mailto.cgi (Mail - Credit Card Combo
Mail-to and Credit Card program)
Advisory Author: Karl Hanmore <karl@system-administrator.net>
Script URL: http://rlaj.com/scripts/mailto/
Script Author: Ranson Johnson
Advisory Released: 11 September 2000
Vendor notified: support@rlaj.com 05 Sept. 2000
Disclaimer: This information is provided AS IS. Neither myself, my
employer or any other organisation or person warrant the information
supplied herein. In no instance will myself or any other organisation
I am involved accept responsibility for any damage or injury caused as
a result of the use of any information provided herein. This
information is provided for education use only, and to allow
potentially effected persons to more adequatly secure their systems.
Vunerable: Tested version, current version as distributed on website
on 05 September 2000.
Overview: This script provides for a feedback / credit card order to
be emailed to the site admin. This script also provides a reply to
the person submitting the form. A malicious user can use a misformed
email address to execute arbitary commands on the web server.
Impact: Abuse of this vunerability allows running of arbitary commands
as the user id of the running cgi process. This could potentially be
used to delete or modify files, or provide copies of arbitary files
via email to an attacker.
Detail: The "emailadd" field from the form is used directly in
conjunction with a piped open. This allows an attacker to execute
arbitary commands by choosing the value of the email address
carefully.
Fix: Input checking should be performed to ensure only valid
characters are contained within the email address. User supplied
variables should not be passed to system, piped open's or other such
executable operations. Patch provided below to perform redimentary
address checking and avoid passing user input to piped open. It is
believed that this has been addressed immediately by the script author
upon notification of the problem, and that new versions should already
be updated accordingly.
Patch: See above disclaimer. This patch is provided AS IS, however,
the advisory author believes this should remedy the problem as
detailed.
==================================
Karl Hanmore
Email: karl@system-administrator.net
--'ThIs-RaNdOm-StRiNg-/=_.223896050:
Content-Length: 2018
Content-Type: application/octet-stream;name=adv2000090701.patch
Content-Disposition: attachment;filename=adv2000090701.patch
MIME-Version: 1.0
Content-Transfer-Encoding: base64
KioqIG1haWx0by5jZ2kub3JpZwlNb24gU2VwICA0IDE3OjIyOjQ4IDIwMDAKLS0tIG1haWx0by5j
Z2kJTW9uIFNlcCAgNCAxNzoyNDoyNiAyMDAwCioqKioqKioqKioqKioqKgoqKiogMTM0LDE0MyAq
KioqCiAgCiAgCiAgICAgICAgICAgICAgICAgIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMKICAKICBpZiAoJG1haWwgZXEgJzEnKSB7CiEgICAgb3BlbiAoTUFJTCwg
InwkbWFpbHByb2cgJHJlY2lwaWVudCIpIHx8IGRpZSAiQ2FuJ3Qgb3BlbiAkbWFpbHByb2chXG4i
OwohIAogICAgIHByaW50IE1BSUwgIlJlcGx5LXRvOiAkRk9STXsnZW1haWxhZGQnfSAoJEZPUk17
J25hbWUnfSlcbiI7CiAgICAgcHJpbnQgTUFJTCAiRnJvbTogJEZPUk17J2VtYWlsYWRkJ30gKCRG
T1JNeyduYW1lJ30pXG4iOyAKICBpZiAoJEZPUk17J2NhcmRfbm8nfSl7Ci0tLSAxMzQsMTQ1IC0t
LS0KICAKICAKICAgICAgICAgICAgICAgICAjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIworICMgQ2hlY2sgZm9yIHZhbGlkIGVtYWlsIGFkZHJlc3MKKyAkRk9STXsn
ZW1haWxhZGQnfSA9fiBzL1teQS1aYWEtejAtOUBcLixdLy9nOwogIAogIGlmICgkbWFpbCBlcSAn
MScpIHsKISAgICBvcGVuIChNQUlMLCAifCRtYWlscHJvZyAtdCIpIHx8IGRpZSAiQ2FuJ3Qgb3Bl
biAkbWFpbHByb2chXG4iOwohICAgIHByaW50IE1BSUwgIlRvOiAkcmVjaXBpZW50XG4iOwogICAg
IHByaW50IE1BSUwgIlJlcGx5LXRvOiAkRk9STXsnZW1haWxhZGQnfSAoJEZPUk17J25hbWUnfSlc
biI7CiAgICAgcHJpbnQgTUFJTCAiRnJvbTogJEZPUk17J2VtYWlsYWRkJ30gKCRGT1JNeyduYW1l
J30pXG4iOyAKICBpZiAoJEZPUk17J2NhcmRfbm8nfSl7CioqKioqKioqKioqKioqKgoqKiogMTYz
LDE2OSAqKioqCiAgIH0KICAKICBpZiAoJHJlbW90ZV9tYWlsIGVxICcxJyAmJiAkRk9STXsnZW1h
aWxhZGQnfSkgewohICAgIG9wZW4gKE1BSUwsICJ8JG1haWxwcm9nICRGT1JNeydlbWFpbGFkZCd9
IikgfHwgZGllICJDYW4ndCBvcGVuICRtYWlscHJvZyFcbiI7CiAgICAgcHJpbnQgTUFJTCAiRnJv
bTogJHJldHVybl9hZGRcbiI7CiAgaWYgKCRGT1JNeydjYXJkX25vJ30pewogICAgIHByaW50IE1B
SUwgIlN1YmplY3Q6ICRjY19vcmRlcl9zdWJqZWN0XG4iOwotLS0gMTY1LDE3MiAtLS0tCiAgIH0K
ICAKICBpZiAoJHJlbW90ZV9tYWlsIGVxICcxJyAmJiAkRk9STXsnZW1haWxhZGQnfSkgewohICAg
IG9wZW4gKE1BSUwsICJ8JG1haWxwcm9nIC10IikgfHwgZGllICJDYW4ndCBvcGVuICRtYWlscHJv
ZyFcbiI7CiEgICAgcHJpbnQgTUFJTCAiVG86ICRGT1JNeydlbWFpbGFkZCd9XG4iOwogICAgIHBy
aW50IE1BSUwgIkZyb206ICRyZXR1cm5fYWRkXG4iOwogIGlmICgkRk9STXsnY2FyZF9ubyd9KXsK
ICAgICBwcmludCBNQUlMICJTdWJqZWN0OiAkY2Nfb3JkZXJfc3ViamVjdFxuIjsKCgoK
--'ThIs-RaNdOm-StRiNg-/=_.223896050:--
