Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: web5582.htm

sendform.cgi directory traversal leading to arbitrary file reading



31th Jul 2002 [SBWID-5582]
COMMAND

	sendform.cgi directory traversal leading to arbitrary file reading

SYSTEMS AFFECTED

	All versions 1.4.4 and earlier, primarily before 1.4

PROBLEM

	Steve Christey (coley@mitre.org) posted following:
	

	Rod Clark's sendform.cgi is a CGI  program  that  reads  form  data  and
	sends it to a program-specified administrator.  An  optional  capability
	can send  additional  "blurb  files"  to  the  e-mail  address  that  is
	provided in the form.
	

	Unfortunately,  any  remote  attacker  can  use  sendform.cgi  to   read
	arbitrary files with the privileges of the web server by  modifying  the
	BlurbFilePath parameter to reference the desired files.
	

	

	When sendform.cgi is used to notify a user  that  their  form  has  been
	submitted, it can read "blurb files" from the web server and  send  them
	in  an  email  to  the  user.  A  remote  attacker  can  manipulate  the
	BlurbFilePath parameter to identify any target file (or  set  of  files)
	on the web server, such as /etc/passwd. The "email" parameter  can  then
	be modified to point to  the  attacker's  own  email  address,  and  the
	SendCopyToUser parameter set to "yes." When  the  attacker  submits  the
	full request to sendform.cgi, a copy of the target file will be sent  to
	the attacker. There may be alternate attack vectors that do not  require
	the SendCopyToUser parameter.
	

	If the attacker can write files to the web server running  sendform.cgi,
	then the attacker can fully control the content of  the  e-mail  message
	and send it to arbitrary e-mail addresses. Since other form fields  such
	as the subject line are under attacker control, sendform.cgi could  then
	be used as a "spam proxy,"  in  a  fashion  similar  to  the  well-known
	vulnerability in formmail.pl [1].
	

	The filename that is provided to BlurbFilePath does not have to  contain
	.. characters to escape the web root. An  absolute  pathname  will  also
	work. Since sendform.cgi only allows a small range of  characters,  plus
	the  ..  and  /,  the  attacker  can  not  execute  commands  via  shell
	metacharacters, or redirect output to other files.
	

	It should be noted that there  appear  to  be  multiple  programs  named
	"sendform.cgi," including custom CGI scripts,  which  are  unrelated  to
	the product being discussed in this advisory.
	

	

	 Credits

	 =======

	

	 Brian Caswell (bmc@mitre.org)

	 Erik Tayler (erik@DIGITALDEFENSE.NET)

	

	

SOLUTION

	Upgrade to the current version, found at:
	

	http://www.scn.org/~bb615/scripts/sendform.html
	

	The only feasible workaround is to disable the  Blurb  File  feature  by
	commenting  out  calls  to  the   functions   MailFirstBlurbFile()   and
	MailOtherBlurbFiles().


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH