Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

issues with free Perl CGI's (Re: Black Watch Labs...)

From: peterw () USA NET (Peter W)
Date: Thu, 11 May 2000 00:25:54 -0400

At 4:11pm May 10, 2000, Black Watch Labs wrote:


    "Environment and setup variables can be viewed through FormMail
script"



Products affected:
MattÂ’s FormMail.cgi


Many form-mail scripts are designed to be as easy to use as possible,
relying heavily on hidden form values...


Vendor Patch or workaround:
None submitted at the time of this release.


...many of these scripts are also Perl-based, which means auditing and
correcting them are easy. Some of the approaches I've taken to clean up
scripts like this (including a derivative of formmail.cgi with similar
issues that a design firm wanted me to install)

 - hard-code/override some values in the CGI (also used to disable values)
 - use pattern matching in the CGI to validate values
 - have the script open the referring page, parse hidden values, and 
   use them to override values that may have been altered by an attacker
 - add X-* headers to sent mail to facilitate tracking abuse

Anybody who's not auditing and tweaking freebie scripts like this one
needs to rethink their Web app procedures. See Aleph's recent
SecurityFocus piece on how having source does not ensure the code is safe.

BTW, did you even contact the script vendor?


Summary:
The script allows several environment variables to be viewed by the
attacker, who can gain useful information on the site, making further
attacks more feasible.


It also appears to be vulnerable to cross-site scripting problems 
Hint: hack the 'required' config, e.g.
<A 
HREF="http://victim.example.com/formmail.cgi?required=<a+href%3d">http://victim.example.com/formmail.cgi?required=<a+href%3d</A>'javascript%3aalert("hello")%3b'>hello</a>&recipient=foo


About Black Watch Labs ...
Black Watch Labs is a research group operated by Perfecto Technologies
Inc., leader in Web application security management.


Yeah, yeah, yeah. The discaimers and self promotion are almost as long as
the "advisory". I'm not impressed.

BTW, attached are some patches to start to plug the hole that you chose to
expose, and the cross-site scripting hole I mentioned in the required
fields (as well as another that jumped out at me). There may be more
holes, but what do you expect from a free, three-year-old script?

-Peter

http://www.bastille-linux.org/ : working towards more secure Linux systems

<HR NOSHADE>
<UL>
<LI>APPLICATION/octet-stream attachment: formmail-patch.gz
</UL>
Previous By Date Next
Previous By Thread Next

Current thread: