Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SECURITY HOLE: FormMail

From: cwe () Csli Stanford EDU (Christian Wettergren)
Date: Thu, 3 Aug 1995 13:52:19 -0700

| It does have a security hole, it has the *exact* same hole that
| AnyForm did, except that it is exploited via open instead of system.
| But a shell by any other name...
|
| Here's the offending line:
|
| open (MAIL, "|$mailprog $FORM{'recipient'}") || die "Can't open $mailprog!\n";
|
| Maybe I should use all caps this time: DON'T PASS UNCHECKED USER
| DATA TO SHELLS.  I just obtained /etc/motd from a site running
| FormMail, and it was sent to me courtesy of root... my oh my.

Also, remember to filter the data correctly. When we are talking about
mail, you should filter for the following stuff at least:

If handled by /usr/ucb/mail:

  * Tildes at the beginning of a line, since you can do
    ~!/bin/sh and ~|/bin/sh etc
  * Include attacks from sendmail as well.

If handled by /bin/mail
  * Watch out for lines starting with !, since you can do
    !/bin/sh on some /bin/mail's.

If handled by a sendmail:
  * email addresses starting with ! or / since you can do
    <!/bin/sh> or </.rhosts>
  * Filter out strange headers, like
    Errors-to:  Return-receipt-to:
    since your problem (the same as above) might come back further
    down, if done by a clever attacker.

Anyone care to join more mail horrors? :-)

/Christian Wettergren
 cwe () it kth se
Previous By Date Next
Previous By Thread Next

Current thread: