Date: Thu, 11 May 2000 00:25:54 -0400 From: Peter W <peterw@USA.NET> Subject: issues with free Perl CGI's (Re: Black Watch Labs...) To: BUGTRAQ@SECURITYFOCUS.COM This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --8323328-1011093573-958019154=:31936 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN At 4:11pm May 10, 2000, Black Watch Labs wrote: > "Environment and setup variables can be viewed through FormMail > script" > Products affected: > Matt’s FormMail.cgi Many form-mail scripts are designed to be as easy to use as possible, relying heavily on hidden form values... > Vendor Patch or workaround: > None submitted at the time of this release. ...many of these scripts are also Perl-based, which means auditing and correcting them are easy. Some of the approaches I've taken to clean up scripts like this (including a derivative of formmail.cgi with similar issues that a design firm wanted me to install) - hard-code/override some values in the CGI (also used to disable values) - use pattern matching in the CGI to validate values - have the script open the referring page, parse hidden values, and use them to override values that may have been altered by an attacker - add X-* headers to sent mail to facilitate tracking abuse Anybody who's not auditing and tweaking freebie scripts like this one needs to rethink their Web app procedures. See Aleph's recent SecurityFocus piece on how having source does not ensure the code is safe. BTW, did you even contact the script vendor? > Summary: > The script allows several environment variables to be viewed by the > attacker, who can gain useful information on the site, making further > attacks more feasible. It also appears to be vulnerable to cross-site scripting problems Hint: hack the 'required' config, e.g. http://victim.example.com/formmail.cgi?required=<a+href%3d'javascript%3aalert("hello")%3b'>hello</a>&recipient=foo > About Black Watch Labs ... > Black Watch Labs is a research group operated by Perfecto Technologies > Inc., leader in Web application security management. Yeah, yeah, yeah. The discaimers and self promotion are almost as long as the "advisory". I'm not impressed. BTW, attached are some patches to start to plug the hole that you chose to expose, and the cross-site scripting hole I mentioned in the required fields (as well as another that jumped out at me). There may be more holes, but what do you expect from a free, three-year-old script? -Peter http://www.bastille-linux.org/ : working towards more secure Linux systems --8323328-1011093573-958019154=:31936 Content-Type: APPLICATION/octet-stream; name="formmail-patch.gz" Content-Transfer-Encoding: BASE64 Content-ID: <Pine.LNX.4.10.10005110025540.31936@localhost> Content-Description: formmail-patch.gz Content-Disposition: attachment; filename="formmail-patch.gz" H4sIAK8zGjkCA61W+3PaRhD+2fwVm8EtMAIkwI+Yl8k49kwn46bjdtqZhoQ5 pAPdRLqjdydjx3X/9u6eEGBsp04nwg8h7X63j2+/u0ajATOl05SJpBnORVNp Md/7g0dwyW6hFUC70+0cdIMTaAdBUPI874H53m9xllu2IAi6rYNuu51bjkbQ 6BzUj8DDv60OjEYlKMFI8xnXXBsYQLWyVDqJliLiKdO2Gaq0Uq+0g6Nmp9U8 bjfbQadS66GXV4bRNUtEpHkoFoJLayARqcB/y5hZ4BQNsAjfG8MNhEwCmnJx zV2wYLJpKowRSpoeodlYGDCxypIIphzQnGmNSagZ+s2zhGngNwtCI5cm/Kws RydcysYc1lEQFMaV8QIrVNIyIUHJBMEkh5+k5VrynRB7kJl81UQwA0oTUMzC zw7ehFosLKRKcxAzuFUZSM4jf8kkPs0SKxbJVhCGUnSLUaolr+Q9qhWWGiqf PrDGl493rfr9eDRXKppnt2bc5DcsRbgxFX+/AlhurwRleEt43+cqI953vZAQ xK3W8WEd6em1XrfrrSNHL7ccSJZyKipweS20kinWANukBZsmHJv58rjp2j9T cibmdxXN/8qE5lHlHgb/gPGrY+P9PZa10/r6zq/7894L3GqnY+nlNz55eHng hSnMBE+iNUFjhjRmySJmMku5FmGeYc+xuPCNebJA4qt0iiQNtTKmYYQtyCTk HBZaTQ0gOX/kWitdreWuzwb64RPy5U3jz6BxMp58xDjNbmpY34nmC6XtN9bk acfdqjz0WWgh7SR0375xuedcn2mDUwo5n+RdwEAjLEtoi3ZIZUkzcIIjsIpG GsVjKqxm+hYM19dcb5rCIpS6OnAbNnvUi2wKpFqkEzSZOy14ZuUnOzLujv1x o+hLwf1fF4nIRSpPN9PMooRt6I8EwKCFjMS1iDKW5FzLGdXc5f7oqmDkAAwh V7G89ScYg7LhRvLE6X07OK63Xq8nEjWs+mrLaSVL6AV3pfWSziriMyF5VP3h AqWshu8LslamLJqsto5KDe43fjwxj5Vq4yfVZLMiObqK3+dudyVvr5zP19qo B7g1YA3fvzvFt/vr5+/fYRECJMkeyixnYQz7C5wygUW9KmxQZh9pb82tskfp wVNFoNb6j6F8UXjuxtDquacJM9bdYUruN19h2/YVGhcoT9ej53xdye43JLog 7aQMVw1ecWTVHJIQIhjtNt2vCyhx4vA4cDJ9eOLk2pGiP1XRLUznoUqUHpQv 3AWW39hBOXDXkGLph5y2T3cPfUv8hanSOFKDAPDUYOPBURBscE7O6DMsNXJ7 PezbeNif4ayBEV/4wGsPz6kKXdzPYV3pvk8Ww75Pxj565RT5L//fqc9fQ3Eg vov6xRmcXdDnQQbRcDtYWOJ5wSzwK/Zk3YqIWYbSg69xtml0Lul0BvBLwpnh 2/k4tJ3Q/xdm3uKUfcYtJkOK0CnFDdJMJMkGZYvp+Uksp9JS2JjOP7xBx6IV 2OpwhGtcuqOPJIdcvvCHcGkbE3Izq1uQ+aFvWgQ2U5lcB3F1/ubt5Tkh8GY/ 1nkzW8PSv6eat277CgAA --8323328-1011093573-958019154=:31936--