Title: Unsafe passing of variables to mailform.pl in MailForm V2.0 For Unix or NT
Advisory Author: Karl Hanmore <email@example.com>
Script URL: http://rlaj.com/scripts/mailform
Script Author: Ranson Johnson
Advisory Released: 11 September 2000
Vendor notified: firstname.lastname@example.org 05 Sept. 2000
Disclaimer: This information is provided AS IS. Neither myself, my employer or any other organisation or person warrant the information supplied herein. In no instance will myself or any other organisation I am involved accept responsibility for any damage or injury caused as a result of the use of any information provided herein. This information is provided for education use only, and to allow potentially effected persons to more adequatly secure their systems.
Vunerable: Tested version, current version as distributed on website on 05 September 2000.
Overview: This script provides a way in which the user of the script can be provided with specific information. Files may also be attached. By making a copy of the form source and modifying the XX-attach_file variable, a user may mail himself a copy of any file readable by uid of the running cgi process.
Impact: Abuse of this vunerability allows a would be attacker to gain copies of files on the system, possibly enabling leverage of such for further vunerabilities.
Detail: The script will happily forward the file listed in the XX-attach_file variable as passed from the form. This file can be any file that can be read by the uid of the running cgi process. It should be noted that numerous other variables are passed as hidden fields, and it is most likely that some of these may be levered to cause problems.
Fix: Use of hidden fields should be avoided where ever possible. Vairables such as the system type, file to be sent etc should be configured within the cgi itself, not passed to the cgi as hidden fields. This script should be majorly re-written to avoid these issues, and a detailed fix is outside of the scope of this advisory. It is recomended that use of this script be avoided until the vendor has addressed these issues. The script author has addressed several issues promptly after being contacted regarding this problems, however, it is the belief of the author of this advisory that there may still be some outstanding issues relating to configuration information being passed via hidden form fields.
Patch: None provided - extensive re-write of script required to ensure better security. It should be noted that the script author has already addressed some of the issues raised, including adding a referer check into the script.