![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: joetesta@hushmail.com
To: bugtraq@securityfocus.com, jscimone@cc.gatech.edu
Subject: Vulnerabilities in PGPMail.pl
Date: Thu, 29 Nov 2001 19:45:38 -0800
Vulnerabilities in PGPMail.pl
Overview
PGPMail.pl v1.31 is a PERL script that extends Matt Wright's FormMail
v1.5 to encrypt HTML form data using PGP. It is available from
<ftp://ftp.venturablvd.com/pub/pgpmail/>. Two vulnerabilities exist
which allow a remote attacker to execute arbitrary commands on the web
server it is installed on.
Note: these vulnerabilities were also independently discovered by John
Scimone <jscimone@cc.gatech.edu>. Reference:
<http://www.securityfocus.com/archive/82/243262>
Details
The script passes user-supplied data directly to a shell:
line 373:
open (MAIL, "|$mailprog $CONFIG{'recipient'}") ||
die "Can't open $mailprog!\n";
line 383:
$ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0
\"$CONFIG{'pgpuserid'}\" > $pgptmp");
The hash table, 'CONFIG', is built from either the QUERY_STRING or
standard input, depending on the method the input data was submitted
to the script. None of the input is filtered.
It should be noted that although the script checks the HTTP_REFERER
field against a list of acceptable sources, these vulnerabilities are
still exploitable by trivially forging a valid referer.
Solution
Apply the following patch:
< open (MAIL, "|$mailprog $CONFIG{'recipient'}") || die "Can't open $mailprog!\n";
< print MAIL "From: $CONFIG{'your name'} \<$CONFIG{'your email'}\>\n";
---
> # Don't pass the recipient to the $mailprog on the command line.
> # Instead, use the '-t' feature. Fixed by Joe Testa
> # (joetesta@hushmail.com).
> open (MAIL, "|$mailprog -t") || die "Can't open $mailprog!\n";
375a378
> print MAIL "From: $CONFIG{'your name'} \<$CONFIG{'your email'}\>\n";
383c386,392
< $ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0 \"$CONFIG{'pgpuserid'}\" > $pgptmp");
---
> # The PGP user id must be passed via command line, so make sure
> # that only legal characters are present. Fixed by Joe Testa
> # (joetesta@hushmail.com).
> $theUserID = $CONFIG{'pgpuserid'};
> $theUserID =~ /([a-zA-Z0-9]+)/;
> $theUserID = $1;
> $ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0 \"$CONFIG{$theUserID}\" > $pgptmp");
Vendor Status
The script's author, William Malin, was contacted via
<pgpmail@venturablvd.com> on Friday, November 9th, 2001. No reply was
received.
- Joe Testa
e-mail: joetesta@hushmail.com
web page: http://hogs.rit.edu/~joet/
AIM: LordSpankatron