Re: Another cgiemail bug

["Christopher X. Candreva" <chris () westnet com>]

On Fri, 14 Jun 2002, sec wrote:

> Example:
> POST
>
> /cgi-bin/cgiemail?required-webmaster=xxx () xxx com&required-from=zzz () zzz com&
> required-subject=spam%0aCC:address1 () smap com%20address2 () smap com%20address3 () smap com&
> comments=spam%20message
>
> Simple, clear enough.


Not really. Your example is going to do nothing but generate an error, at
least under cgi-email 1.6 .

First, cgiemail requires a textfile template on the server itself as part
of the URL to run the script For example (from the cgiemail home page,
cgiecho is the test program):

<FORM METHOD="POST"
 ACTION="http://web.mit.edu/bin/cgiecho/wwwdev/cgiemail/questions3.txt";>

In this case it's using a template file on the server in the directory
wwwdev/cgiemail called questions3.txt
Without such a file it generates an error. There is no template refereced in
your example above, so the options are never even parsed (or possiby it
attmpts to open it as a file on the local system, which still won't work).

In the specific case where there is an e-mail template on the server that
takes a field called required-subject and uses it in the Subject: line, then
your exploit may work in theory, though you would have to know the location
of this file and add it to your example.

Yes, the location of the template will be in any forms that use it. However,
the only way to determine if any fields are actually sent in the testing
each form to see if the template is retriveable via the web, or what fields
will be in the headers of a generated e-mail seems to me to be non-trival,
though not to say it can't be done.

While this should probably be fixed, this is not going to be immediately
exploitable on every cgiemail binary.



==========================================================
Chris Candreva  -- chris () westnet com -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/