Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Apps :: web4892.htm
4th Dec 2001 [SBWID-4892]



	Joe Testa found following, regarding

	Note: these vulnerabilities were also independently discovered  by  John
	Scimone. v1.31 is a PERL script that extends Matt  Wright\'s  FormMail
	v1.5 to encrypt HTML form data using PGP.  It is available from  Two vulnerabilities exist which allow a remote attacker to execute arbitrary commands on the web server it is installed on.


	The script passes user-supplied data directly to a shell:


	line 373:
	    open (MAIL, \"|$mailprog $CONFIG{\'recipient\'}\") ||

	        die \"Can\'t open $mailprog!\\n\";


	line 383:
	    $ret_val = open (PGP, \"|$pgpprog -fea +VERBOSE=0

	        \\\"$CONFIG{\'pgpuserid\'}\\\" > $pgptmp\");



	The hash table, \'CONFIG\', is built from  either  the  QUERY_STRING  or
	standard input, depending on the method the input data was submitted  to
	the script.  None of the input is filtered.

	It should be noted that although  the  script  checks  the  HTTP_REFERER
	field against a list of acceptable sources,  these  vulnerabilities  are
	still exploitable by trivially forging a valid referer.



	Apply the following patch:


	< open (MAIL, \"|$mailprog $CONFIG{\'recipient\'}\") || die \"Can\'t open $mailprog!\\n\";

	< print MAIL \"From: $CONFIG{\'your name\'} \\<$CONFIG{\'your email\'}\\>\\n\";

	- ---

	> # Don\'t pass the recipient to the $mailprog on the command line.

	> #     Instead, use the \'-t\' feature.  Fixed by Joe Testa

	> #     (

	> open (MAIL, \"|$mailprog -t\") || die \"Can\'t open $mailprog!\\n\";


	> print MAIL \"From: $CONFIG{\'your name\'} \\<$CONFIG{\'your email\'}\\>\\n\";


	<       $ret_val = open (PGP, \"|$pgpprog -fea +VERBOSE=0 \\\"$CONFIG{\'pgpuserid\'}\\\" > $pgptmp\");


	- ---

	>       # The PGP user id must be passed via command line, so make sure

	>       #     that only legal characters are present.  Fixed by Joe Testa

	>       #     (

	>       $theUserID = $CONFIG{\'pgpuserid\'};

	>       $theUserID =~ /([a-zA-Z0-9]+)/;

	>       $theUserID = $1;

	>       $ret_val = open (PGP, \"|$pgpprog -fea +VERBOSE=0 \\\"$theUserID\\\" > $pgptmp\");



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH