Vulnerabilities in PGPMail.pl

[joetesta () hushmail com]

-----BEGIN PGP SIGNED MESSAGE-----

Vulnerabilities in PGPMail.pl



    Overview

PGPMail.pl v1.31 is a PERL script that extends Matt Wright's FormMail
v1.5 to encrypt HTML form data using PGP.  It is available from
<ftp://ftp.venturablvd.com/pub/pgpmail/>.  Two vulnerabilities exist
which allow a remote attacker to execute arbitrary commands on the web
server it is installed on.

Note: these vulnerabilities were also independently discovered by John
Scimone <jscimone () cc gatech edu>.  Reference:
<http://www.securityfocus.com/archive/82/243262>


    Details

The script passes user-supplied data directly to a shell:


line 373:
    open (MAIL, "|$mailprog $CONFIG{'recipient'}") ||
        die "Can't open $mailprog!\n";

line 383:
    $ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0
        \"$CONFIG{'pgpuserid'}\" > $pgptmp");


The hash table, 'CONFIG', is built from either the QUERY_STRING or
standard input, depending on the method the input data was submitted
to the script.  None of the input is filtered.
    It should be noted that although the script checks the HTTP_REFERER
field against a list of acceptable sources, these vulnerabilities are
still exploitable by trivially forging a valid referer.



    Solution

Apply the following patch:


< open (MAIL, "|$mailprog $CONFIG{'recipient'}") || die "Can't open $mailprog!\n";
< print MAIL "From: $CONFIG{'your name'} \<$CONFIG{'your email'}\>\n";
- ---
> # Don't pass the recipient to the $mailprog on the command line.
> #     Instead, use the '-t' feature.  Fixed by Joe Testa
> #     (joetesta () hushmail com).
> open (MAIL, "|$mailprog -t") || die "Can't open $mailprog!\n";
375a378
> print MAIL "From: $CONFIG{'your name'} \<$CONFIG{'your email'}\>\n";
383c386,392
<       $ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0 \"$CONFIG{'pgpuserid'}\" > $pgptmp");
- ---
>       # The PGP user id must be passed via command line, so make sure
>       #     that only legal characters are present.  Fixed by Joe Testa
>       #     (joetesta () hushmail com).
>       $theUserID = $CONFIG{'pgpuserid'};
>       $theUserID =~ /([a-zA-Z0-9]+)/;
>       $theUserID = $1;
>       $ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0 \"$CONFIG{$theUserID}\" > $pgptmp");



    Vendor Status

The script's author, William Malin, was contacted via
<pgpmail () venturablvd com> on Friday, November 9th, 2001.  No reply was
received.



    - Joe Testa

e-mail:   joetesta () hushmail com
web page: http://hogs.rit.edu/~joet/
AIM:      LordSpankatron



-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wl0EARECAB0FAjwHALIWHGpvZXRlc3RhQGh1c2htYWlsLmNvbQAKCRA/wHT6vruBNNjw
AJ9r0Son9N8YXLReXr0PR3ED7VFRRACgjyk4vsvkcV/xlioSX9Uud522ApA=
=8K3/
-----END PGP SIGNATURE-----