SECURITY HOLE: FormMail

[paulp () CERF NET (Paul Phillips)]

In article <DCpnJ9.4Kq () k12 colostate edu> mattw () alpha pr1 k12 co us
(Matthew M. Wright) writes:
> My script at:
>
> http://alpha.pr1.k12.co.us/~mattw/scripts.html
>
> called FormMail does this exact thing.  It works pretty much on any form and
> you just have to specify the email address of yourself in a hidden field in
> the form.  I don't think that this script has a security whole in it as
> mentioned in a previous posting about a program called AnyForm.  It pipes the
> information to you in a different way.  Of course if there was anyone who
> wanted to check this I don't think it would hurt.

Okay folks, you know the drill.

It does have a security hole, it has the *exact* same hole that
AnyForm did, except that it is exploited via open instead of system.
But a shell by any other name...

Here's the offending line:

open (MAIL, "|$mailprog $FORM{'recipient'}") || die "Can't open $mailprog!\n";

Maybe I should use all caps this time: DON'T PASS UNCHECKED USER
DATA TO SHELLS.  I just obtained /etc/motd from a site running
FormMail, and it was sent to me courtesy of root... my oh my.

Posted and emailed to the author and several mailing lists.  Again,
please direct followups to comp.infosystems.www.authoring.cgi.

--
Paul Phillips                                 | "Click _here_ if you do not
<URL:mailto:paulp () cerf net>                   |  have a graphical browser"
<URL:http://www.primus.com/staff/paulp/>      |  -- Canter and Siegel, on
<URL:pots://+1-619-220-0850/is/paul/there?>   |  their short-lived web site