Bugtraq mailing list archives
issues with free Perl CGI's (Re: Black Watch Labs...)
From: peterw () USA NET (Peter W)
Date: Thu, 11 May 2000 00:25:54 -0400
At 4:11pm May 10, 2000, Black Watch Labs wrote:
"Environment and setup variables can be viewed through FormMail script"
Products affected: MattÂ’s FormMail.cgi
Many form-mail scripts are designed to be as easy to use as possible, relying heavily on hidden form values...
Vendor Patch or workaround: None submitted at the time of this release.
...many of these scripts are also Perl-based, which means auditing and correcting them are easy. Some of the approaches I've taken to clean up scripts like this (including a derivative of formmail.cgi with similar issues that a design firm wanted me to install) - hard-code/override some values in the CGI (also used to disable values) - use pattern matching in the CGI to validate values - have the script open the referring page, parse hidden values, and use them to override values that may have been altered by an attacker - add X-* headers to sent mail to facilitate tracking abuse Anybody who's not auditing and tweaking freebie scripts like this one needs to rethink their Web app procedures. See Aleph's recent SecurityFocus piece on how having source does not ensure the code is safe. BTW, did you even contact the script vendor?
Summary: The script allows several environment variables to be viewed by the attacker, who can gain useful information on the site, making further attacks more feasible.
It also appears to be vulnerable to cross-site scripting problems Hint: hack the 'required' config, e.g. <A HREF="http://victim.example.com/formmail.cgi?required=<a+href%3d">http://victim.example.com/formmail.cgi?required=<a+href%3d</A>'javascript%3aalert("hello")%3b'>hello</a>&recipient=foo
About Black Watch Labs ... Black Watch Labs is a research group operated by Perfecto Technologies Inc., leader in Web application security management.
Yeah, yeah, yeah. The discaimers and self promotion are almost as long as the "advisory". I'm not impressed. BTW, attached are some patches to start to plug the hole that you chose to expose, and the cross-site scripting hole I mentioned in the required fields (as well as another that jumped out at me). There may be more holes, but what do you expect from a free, three-year-old script? -Peter http://www.bastille-linux.org/ : working towards more secure Linux systems <HR NOSHADE> <UL> <LI>APPLICATION/octet-stream attachment: formmail-patch.gz </UL>
Current thread:
- revised patches for kerberos vulnerability, (continued)
- revised patches for kerberos vulnerability Tom Yu (May 19)
- Microsoft Security Bulletin (MS00-029) Microsoft Product Security (May 19)
- BindView Security Advisory: jolt2 - Remote DoS against NT, W2K, 9x BindView Security Advisory (May 19)
- Bugtraq Stats for the last 3 years available now. Alfred Huger (May 17)
- KNapster Vulnerability Compromises User-readable Files Tom Daniels (May 10)
- Gnapster Vulnerability Compromises User-readable Files Jim Early (May 10)
- Possible symlink problems with Netscape 4.73 foo (May 10)
- SSH Authentication Vulnerability John P. McNeely (May 10)
- Re: [cert] SSH Authentication Vulnerability Ignacio Kadel-Garcia (May 11)
- Black Watch Labs Vulnerability Alert Black Watch Labs (May 10)
- issues with free Perl CGI's (Re: Black Watch Labs...) Peter W (May 10)
- Advisory: Unchecked system(blaat $var blaat) call in Bugzilla 2.8 Frank van Vliet (May 10)
- Re: Advisory: Unchecked system(blaat $var blaat) call in Bugzilla 2.8 Todd C. Miller (May 10)
- NetStructure 7110 console backdoor Brian Oblivion (May 09)
- NetStructure 7180 remote backdoor vulnerability Brian Oblivion (May 09)
- FreeBSD Security Advisory: FreeBSD-SA-00:16.golddig FreeBSD Security Officer (May 09)
- FreeBSD Security Advisory: FreeBSD-SA-00:17.libmytinfo FreeBSD Security Officer (May 09)
- FreeBSD Security Advisory: FreeBSD-SA-00:18.gnapster FreeBSD Security Officer (May 09)
- Self-Replication Using Gnutella Seth McGann (May 09)
- ALERT: Bypassing Warnings For Invalid SSL Certificates In Netscape Navigator Mitja Kolsek (May 10)