Bugtraq mailing list archives
Stalker's CGImail Gives Read Access to All Server Files
From: "Sverre H. Huseby" <shh () THATHOST COM>
Date: Tue, 29 Aug 2000 19:46:18 +0200
Stalker's CGImail Gives Read Access to All Server Files ------------------------------------------------------- Stalker Lab's Mailers package for Windows NT contains the CGImail.exe program, which is used to convert the contents of an HTML form to an email. The program takes a template file on the web server disk, and substitutes special markup ("variables") with values from the form before sending the mail. Attachments are also supported. Unfortunately, every part of the mail sending process is controlled by (possibly hidden) values in the form. A malicious user may thus save the web page to disk, modify the recipient $To$ -variable, and the template $File$ or $Attach$ -variable, and trick the program into sending any file from the web server disk to himself. I have tested this positively on an unknown version of CGImail.exe (web server outside of my control, problem since fixed by removing CGImail.exe). The docs (cgimail.txt) for version 1.12 (1996-12-17) available from http://www.winsite.com/info/pc/winnt/netutil/sm112.zip/ indicate that the same problem exists with that version. The Stalker Lab web page at http://www.stalkerlab.ch/SMailers/index.html is unreachable (No route to host), but a cached version at Google shows that a version of at least 1.20 is now available. I have not been able to find that version anywhere on the net. The 1.12 docs has a section about "security": CGImail.exe may use the CGI HTTP_REFERER environment variable to make sure the page containing the form comes from the correct web server. I'm sure we all know how to fake a HTTP Referer header, so this sure is a false sense of security. No solution to the problem is known, except for disabling (and deleting!) the program entirely. Sverre H. Huseby <shh () thathost com> -- <URL:mailto:shh () thathost com> <URL:http://shh.thathost.com/> Echelon bait: semtex, bin Laden, plutonium, North Korea, nuclear bomb
Current thread:
- Stalker's CGImail Gives Read Access to All Server Files Sverre H. Huseby (Aug 30)