Vulnerabilities in

Type securityvulns
Reporter Securityvulns
Modified 2001-12-01T00:00:00



Vulnerabilities in

Overview v1.31 is a PERL script that extends Matt Wright's FormMail v1.5 to encrypt HTML form data using PGP. It is available from <>. Two vulnerabilities exist which allow a remote attacker to execute arbitrary commands on the web server it is installed on.

Note: these vulnerabilities were also independently discovered by John Scimone <>. Reference: <>


The script passes user-supplied data directly to a shell:

line 373: open (MAIL, "|$mailprog $CONFIG{'recipient'}") || die "Can't open $mailprog!\n";

line 383: $ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0 \"$CONFIG{'pgpuserid'}\" > $pgptmp");

The hash table, 'CONFIG', is built from either the QUERY_STRING or standard input, depending on the method the input data was submitted to the script. None of the input is filtered. It should be noted that although the script checks the HTTP_REFERER field against a list of acceptable sources, these vulnerabilities are still exploitable by trivially forging a valid referer.


Apply the following patch:

< open (MAIL, "|$mailprog $CONFIG{'recipient'}") || die "Can't open $mailprog!\n"; < print MAIL "From: $CONFIG{'your name'} \<$CONFIG{'your email'}\>\n";

> # Don't pass the recipient to the $mailprog on the command line. > # Instead, use the '-t' feature. Fixed by Joe Testa > # ( > open (MAIL, "|$mailprog -t") || die "Can't open $mailprog!\n"; 375a378 > print MAIL "From: $CONFIG{'your name'} \<$CONFIG{'your email'}\>\n"; 383c386,392 < $ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0 \"$CONFIG{'pgpuserid'}\" > $pgptmp");

> # The PGP user id must be passed via command line, so make sure > # that only legal characters are present. Fixed by Joe Testa > # ( > $theUserID = $CONFIG{'pgpuserid'}; > $theUserID =~ /([a-zA-Z0-9]+)/; > $theUserID = $1; > $ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0 \"$CONFIG{$theUserID}\" > > $pgptmp");

Vendor Status

The script's author, William Malin, was contacted via <> on Friday, November 9th, 2001. No reply was received.

- Joe Testa

e-mail: web page: AIM: LordSpankatron

-----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at

wl0EARECAB0FAjwHALIWHGpvZXRlc3RhQGh1c2htYWlsLmNvbQAKCRA/wHT6vruBNNjw AJ9r0Son9N8YXLReXr0PR3ED7VFRRACgjyk4vsvkcV/xlioSX9Uud522ApA= =8K3/ -----END PGP SIGNATURE-----