a/formmailscripting

Date:         Thu, 11 May 2000 00:25:54 -0400
From: Peter W <peterw@USA.NET>
Subject:      issues with free Perl CGI's (Re: Black Watch Labs...)
To: BUGTRAQ@SECURITYFOCUS.COM

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

--8323328-1011093573-958019154=:31936
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN

At 4:11pm May 10, 2000, Black Watch Labs wrote:

>     "Environment and setup variables can be viewed through FormMail
> script"

> Products affected:
> Matt’s FormMail.cgi

Many form-mail scripts are designed to be as easy to use as possible,
relying heavily on hidden form values...

> Vendor Patch or workaround:
> None submitted at the time of this release.

...many of these scripts are also Perl-based, which means auditing and
correcting them are easy. Some of the approaches I've taken to clean up
scripts like this (including a derivative of formmail.cgi with similar
issues that a design firm wanted me to install)

 - hard-code/override some values in the CGI (also used to disable values)
 - use pattern matching in the CGI to validate values
 - have the script open the referring page, parse hidden values, and 
   use them to override values that may have been altered by an attacker
 - add X-* headers to sent mail to facilitate tracking abuse

Anybody who's not auditing and tweaking freebie scripts like this one
needs to rethink their Web app procedures. See Aleph's recent
SecurityFocus piece on how having source does not ensure the code is safe.

BTW, did you even contact the script vendor?

> Summary:
> The script allows several environment variables to be viewed by the
> attacker, who can gain useful information on the site, making further
> attacks more feasible.

It also appears to be vulnerable to cross-site scripting problems 
Hint: hack the 'required' config, e.g.
http://victim.example.com/formmail.cgi?required=<a+href%3d'javascript%3aalert("hello")%3b'>hello</a>&recipient=foo

> About Black Watch Labs ...
> Black Watch Labs is a research group operated by Perfecto Technologies
> Inc., leader in Web application security management.

Yeah, yeah, yeah. The discaimers and self promotion are almost as long as
the "advisory". I'm not impressed.

BTW, attached are some patches to start to plug the hole that you chose to
expose, and the cross-site scripting hole I mentioned in the required
fields (as well as another that jumped out at me). There may be more
holes, but what do you expect from a free, three-year-old script?

-Peter

http://www.bastille-linux.org/ : working towards more secure Linux systems

--8323328-1011093573-958019154=:31936
Content-Type: APPLICATION/octet-stream; name="formmail-patch.gz"
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.10.10005110025540.31936@localhost>
Content-Description: formmail-patch.gz
Content-Disposition: attachment; filename="formmail-patch.gz"

H4sIAK8zGjkCA61W+3PaRhD+2fwVm8EtMAIkwI+Yl8k49kwn46bjdtqZhoQ5
pAPdRLqjdydjx3X/9u6eEGBsp04nwg8h7X63j2+/u0ajATOl05SJpBnORVNp
Md/7g0dwyW6hFUC70+0cdIMTaAdBUPI874H53m9xllu2IAi6rYNuu51bjkbQ
6BzUj8DDv60OjEYlKMFI8xnXXBsYQLWyVDqJliLiKdO2Gaq0Uq+0g6Nmp9U8
bjfbQadS66GXV4bRNUtEpHkoFoJLayARqcB/y5hZ4BQNsAjfG8MNhEwCmnJx
zV2wYLJpKowRSpoeodlYGDCxypIIphzQnGmNSagZ+s2zhGngNwtCI5cm/Kws
RydcysYc1lEQFMaV8QIrVNIyIUHJBMEkh5+k5VrynRB7kJl81UQwA0oTUMzC
zw7ehFosLKRKcxAzuFUZSM4jf8kkPs0SKxbJVhCGUnSLUaolr+Q9qhWWGiqf
PrDGl493rfr9eDRXKppnt2bc5DcsRbgxFX+/AlhurwRleEt43+cqI953vZAQ
xK3W8WEd6em1XrfrrSNHL7ccSJZyKipweS20kinWANukBZsmHJv58rjp2j9T
cibmdxXN/8qE5lHlHgb/gPGrY+P9PZa10/r6zq/7894L3GqnY+nlNz55eHng
hSnMBE+iNUFjhjRmySJmMku5FmGeYc+xuPCNebJA4qt0iiQNtTKmYYQtyCTk
HBZaTQ0gOX/kWitdreWuzwb64RPy5U3jz6BxMp58xDjNbmpY34nmC6XtN9bk
acfdqjz0WWgh7SR0375xuedcn2mDUwo5n+RdwEAjLEtoi3ZIZUkzcIIjsIpG
GsVjKqxm+hYM19dcb5rCIpS6OnAbNnvUi2wKpFqkEzSZOy14ZuUnOzLujv1x
o+hLwf1fF4nIRSpPN9PMooRt6I8EwKCFjMS1iDKW5FzLGdXc5f7oqmDkAAwh
V7G89ScYg7LhRvLE6X07OK63Xq8nEjWs+mrLaSVL6AV3pfWSziriMyF5VP3h
AqWshu8LslamLJqsto5KDe43fjwxj5Vq4yfVZLMiObqK3+dudyVvr5zP19qo
B7g1YA3fvzvFt/vr5+/fYRECJMkeyixnYQz7C5wygUW9KmxQZh9pb82tskfp
wVNFoNb6j6F8UXjuxtDquacJM9bdYUruN19h2/YVGhcoT9ej53xdye43JLog
7aQMVw1ecWTVHJIQIhjtNt2vCyhx4vA4cDJ9eOLk2pGiP1XRLUznoUqUHpQv
3AWW39hBOXDXkGLph5y2T3cPfUv8hanSOFKDAPDUYOPBURBscE7O6DMsNXJ7
PezbeNif4ayBEV/4wGsPz6kKXdzPYV3pvk8Ww75Pxj565RT5L//fqc9fQ3Eg
vov6xRmcXdDnQQbRcDtYWOJ5wSzwK/Zk3YqIWYbSg69xtml0Lul0BvBLwpnh
2/k4tJ3Q/xdm3uKUfcYtJkOK0CnFDdJMJMkGZYvp+Uksp9JS2JjOP7xBx6IV
2OpwhGtcuqOPJIdcvvCHcGkbE3Izq1uQ+aFvWgQ2U5lcB3F1/ubt5Tkh8GY/
1nkzW8PSv6eat277CgAA
--8323328-1011093573-958019154=:31936--