Vulnerabilities in PGPMail.pl

2001-12-01T00:00:00
ID SECURITYVULNS:DOC:2236
Type securityvulns
Reporter Securityvulns
Modified 2001-12-01T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE-----

Vulnerabilities in PGPMail.pl

Overview

PGPMail.pl v1.31 is a PERL script that extends Matt Wright's FormMail v1.5 to encrypt HTML form data using PGP. It is available from <ftp://ftp.venturablvd.com/pub/pgpmail/>. Two vulnerabilities exist which allow a remote attacker to execute arbitrary commands on the web server it is installed on.

Note: these vulnerabilities were also independently discovered by John Scimone <jscimone@cc.gatech.edu>. Reference: <http://www.securityfocus.com/archive/82/243262>

Details

The script passes user-supplied data directly to a shell:

line 373: open (MAIL, "|$mailprog $CONFIG{'recipient'}") || die "Can't open $mailprog!\n";

line 383: $ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0 \"$CONFIG{'pgpuserid'}\" > $pgptmp");

The hash table, 'CONFIG', is built from either the QUERY_STRING or standard input, depending on the method the input data was submitted to the script. None of the input is filtered. It should be noted that although the script checks the HTTP_REFERER field against a list of acceptable sources, these vulnerabilities are still exploitable by trivially forging a valid referer.

Solution

Apply the following patch:

< open (MAIL, "|$mailprog $CONFIG{'recipient'}") || die "Can't open $mailprog!\n"; < print MAIL "From: $CONFIG{'your name'} \<$CONFIG{'your email'}\>\n";


> # Don't pass the recipient to the $mailprog on the command line. > # Instead, use the '-t' feature. Fixed by Joe Testa > # (joetesta@hushmail.com). > open (MAIL, "|$mailprog -t") || die "Can't open $mailprog!\n"; 375a378 > print MAIL "From: $CONFIG{'your name'} \<$CONFIG{'your email'}\>\n"; 383c386,392 < $ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0 \"$CONFIG{'pgpuserid'}\" > $pgptmp");


> # The PGP user id must be passed via command line, so make sure > # that only legal characters are present. Fixed by Joe Testa > # (joetesta@hushmail.com). > $theUserID = $CONFIG{'pgpuserid'}; > $theUserID =~ /([a-zA-Z0-9]+)/; > $theUserID = $1; > $ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0 \"$CONFIG{$theUserID}\" > > $pgptmp");

Vendor Status

The script's author, William Malin, was contacted via <pgpmail@venturablvd.com> on Friday, November 9th, 2001. No reply was received.

- Joe Testa

e-mail: joetesta@hushmail.com web page: http://hogs.rit.edu/~joet/ AIM: LordSpankatron

-----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com

wl0EARECAB0FAjwHALIWHGpvZXRlc3RhQGh1c2htYWlsLmNvbQAKCRA/wHT6vruBNNjw AJ9r0Son9N8YXLReXr0PR3ED7VFRRACgjyk4vsvkcV/xlioSX9Uud522ApA= =8K3/ -----END PGP SIGNATURE-----