Unsafe passing of variables to mailform.pl in MailForm V2.0

[Karl Hanmore <karl () SYSTEM-ADMINISTRATOR NET>]

Title: Unsafe passing of variables to mailform.pl in MailForm V2.0 For
Unix or NT

Advisory Author: Karl Hanmore <karl () system-administrator net>

Script URL: http://rlaj.com/scripts/mailform

Script Author: Ranson Johnson

Advisory Released: 11 September 2000

Vendor notified: support () rlaj com 05 Sept. 2000

Disclaimer: This information is provided AS IS.  Neither myself, my
employer or any other organisation or person warrant the information
supplied herein. In no instance will myself or any other organisation
I am involved accept responsibility for any damage or injury caused as
a result of the use of any information provided herein.  This
information is provided for education use only, and to allow
potentially effected persons to more adequatly secure their systems.

Vunerable: Tested version, current version as distributed on website
on 05 September 2000.

Overview:  This script provides a way in which the user of the script
can be provided with specific information.  Files may also be
attached.  By making a copy of the form source and modifying the
XX-attach_file variable, a user may mail himself a copy of any file
readable by uid of the running cgi process.

Impact: Abuse of this vunerability allows a would be attacker to gain
copies of files on the system, possibly enabling leverage of such for
further vunerabilities.

Detail: The script will happily forward the file listed in the
XX-attach_file variable as passed from the form.  This file can be any
file that can be read by the uid of the running cgi process.  It
should be noted that numerous other variables are passed as hidden
fields, and it is most likely that some of these may be levered to
cause problems.

Fix: Use of hidden fields should be avoided where ever possible.
Vairables such as the system type, file to be sent etc should be
configured within the cgi itself, not passed to the cgi as hidden
fields.  This script should be majorly re-written to avoid these
issues, and a detailed fix is outside of the scope of this advisory.
It is recomended that use of this script be avoided until the vendor
has addressed these issues.  The script author has addressed several
issues promptly after being contacted regarding this problems,
however, it is the belief of the author of this advisory that
there may still be some outstanding issues relating to configuration
information being passed via hidden form fields.

Patch: None provided - extensive re-write of script required to ensure
better security.  It should be noted that the script author has
already addressed some of the issues raised, including adding a
referer check into the script.