Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: cgimail.htm

Stalker's CGImail retrieve arbitrary files



    Stalker's CGImail


    Sverre H. Huseby found  following.  Stalker Lab's  Mailers package
    for Windows NT contains the CGImail.exe program, which is used  to
    convert the contents  of an HTML  form to an  email.  The  program
    takes a  template file  on the  web server  disk, and  substitutes
    special  markup  ("variables")  with  values  from the form before
    sending the mail.  Attachments are also supported.

    Unfortunately,  every  part  of   the  mail  sending  process   is
    controlled by (possibly hidden) values  in the form.  A  malicious
    user may  thus save  the web  page to  disk, modify  the recipient
    $To$ -variable,  and the  template $File$  or $Attach$  -variable,
    and trick the  program into sending  any file from  the web server
    disk to himself.


    Sverre  has  tested  this  positively  on  an  unknown  version of
    CGImail.exe  (web  server  outside  of  his control, problem since
    fixed  by  removing  CGImail.exe).   The  docs  (cgimail.txt)  for
    version 1.12 (1996-12-17) available from

    indicate that  the same  problem exists  with that  version.   The
    Stalker Lab web page at

    is unreachable (No route to host), but a cached version at  Google
    shows that a version of at least 1.20 is now available.

    The 1.12 docs has a section about "security": CGImail.exe may  use
    the CGI HTTP_REFERER  environment variable to  make sure the  page
    containing  the  form  comes  from  the  correct  web  server.  No
    solution  to  the  problem  is  known,  except  for disabling (and
    deleting!) the program entirely.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH