Bugtraq mailing list archives
Re: SECURITY HOLE: FormMail
From: cwe () Csli Stanford EDU (Christian Wettergren)
Date: Thu, 3 Aug 1995 13:52:19 -0700
| It does have a security hole, it has the *exact* same hole that | AnyForm did, except that it is exploited via open instead of system. | But a shell by any other name... | | Here's the offending line: | | open (MAIL, "|$mailprog $FORM{'recipient'}") || die "Can't open $mailprog!\n"; | | Maybe I should use all caps this time: DON'T PASS UNCHECKED USER | DATA TO SHELLS. I just obtained /etc/motd from a site running | FormMail, and it was sent to me courtesy of root... my oh my. Also, remember to filter the data correctly. When we are talking about mail, you should filter for the following stuff at least: If handled by /usr/ucb/mail: * Tildes at the beginning of a line, since you can do ~!/bin/sh and ~|/bin/sh etc * Include attacks from sendmail as well. If handled by /bin/mail * Watch out for lines starting with !, since you can do !/bin/sh on some /bin/mail's. If handled by a sendmail: * email addresses starting with ! or / since you can do <!/bin/sh> or </.rhosts> * Filter out strange headers, like Errors-to: Return-receipt-to: since your problem (the same as above) might come back further down, if done by a clever attacker. Anyone care to join more mail horrors? :-) /Christian Wettergren cwe () it kth se
Current thread:
- SECURITY HOLE: FormMail Paul Phillips (Aug 02)
- followup: local mail delivery der Mouse (Aug 03)
- Re: SECURITY HOLE: FormMail Christian Wettergren (Aug 03)
- PERL (was: Re: SECURITY HOLE: FormMail) VaX#n8 (Aug 07)
- Re: PERL (was: Re: SECURITY HOLE: FormMail) Philip Guenther (Aug 07)
- Guidelines for cgi-bin scripts Lee Silverman (Aug 08)
- Re: Guidelines for cgi-bin scripts Dave Andersen (Aug 08)
- Re: Guidelines for cgi-bin scripts Christian Wettergren (Aug 09)
- <Possible follow-ups>
- Re: SECURITY HOLE: FormMail Andrew Macpherson (Aug 03)
- Re: SECURITY HOLE: FormMail Christian Wettergren (Aug 04)
- Re: SECURITY HOLE: FormMail Neil Woods (Aug 05)
- More holes, was: Re: SECURITY HOLE: FormMail Ivo (Aug 05)
- My email handler, ~ escapes, etc. Tom (Aug 05)
- Re: SECURITY HOLE: FormMail Christian Wettergren (Aug 04)