Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Directory traversal vulnerability in sendform.cgi

Directory traversal vulnerability in sendform.cgi

by Nikola Strahija on July 31st, 2002 Rod Clark's sendform.cgi is a CGI program that reads form data and sends it to a program-specified administrator. An optional capability can send additional "blurb files" to the e-mail address that is provided in the form. Unfortunately, any remote attacker can use sendform.cgi to read arbitrary files with the privileges of the web server by modifying the BlurbFilePath parameter to reference the desired files.


When sendform.cgi is used to notify a user that their form has been
submitted, it can read "blurb files" from the web server and send
them in an email to the user. A remote attacker can manipulate the
BlurbFilePath parameter to identify any target file (or set of
files) on the web server, such as /etc/passwd. The "email"
parameter can then be modified to point to the attacker's own email
address, and the SendCopyToUser parameter set to "yes." When the
attacker submits the full request to sendform.cgi, a copy of the
target file will be sent to the attacker. There may be alternate
attack vectors that do not require the SendCopyToUser parameter.

If the attacker can write files to the web server running
sendform.cgi, then the attacker can fully control the content of the
e-mail message and send it to arbitrary e-mail addresses. Since
other form fields such as the subject line are under attacker
control, sendform.cgi could then be used as a "spam proxy," in a
fashion similar to the well-known vulnerability in formmail.pl [1].

The filename that is provided to BlurbFilePath does not have to
contain .. characters to escape the web root. An absolute pathname
will also work. Since sendform.cgi only allows a small range of
characters, plus the .. and /, the attacker can not execute commands
via shell metacharacters, or redirect output to other files.

It should be noted that there appear to be multiple programs named
"sendform.cgi," including custom CGI scripts, which are unrelated to
the product being discussed in this advisory.


___ Solution _________________________________________________________

Upgrade to the current version, found at:

http://www.scn.org/~bb615/scripts/sendform.html

The only feasible workaround is to disable the Blurb File feature by
commenting out calls to the functions MailFirstBlurbFile() and
MailOtherBlurbFiles().

Thanks to Rod Clark for diligently addressing this vulnerability.


___ Vulnerability Identifiers ________________________________________

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2002-0710 [2] to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

The SecurityFocus VulnHelp team ([email protected]) has
assigned Bugtraq ID 5286 [3] to this issue.


___ Disclosure Policy ________________________________________________

Disclosure of this vulnerability has been conducted in accordance
with the "Responsible Vulnerability Disclosure Process" draft,
currently published at:


http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-00.txt


___ Disclosure History _______________________________________________

2002/05/10: initial discovery of suspicious code
2002/05/16: vulnerability verified
2002/05/16: initial notification to vendor
2002/05/16: vendor acknowledges receipt
2002/06/14: vendor updated web site with patched version for review
2002/06/17: tested patched version, made some recommendations
2002/06/24: beginning of vacation, sweet vacation
2002/07/15: vendor provides most recent version
2002/07/18: final suggestions to vendor (tiny hole still left)
2002/07/18: CVE candidate obtained
2002/07/20: vendor releases final version
2002/07/23: Bugtraq ID obtained
2002/07/23: final version verified
2002/07/30: advisory released

This vulnerability was originally discovered while researching a
Snort IDS signature with Brian Caswell ([email protected]). The
signature apparently originated from a post to the Vuln-Dev mailing
list on January 24, 2001, by Erik Tayler [4], who inquired about
directory traversal attacks on sendform.

Approximately 5 hours were spent researching the vulnerability. An
additional 10-15 hours were spent consulting with the vendor and
evaluating patches.


___ References _______________________________________________________

[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0357

[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0710

[3] http://www.securityfocus.com/bid/5286

[4] http://marc.theaimsgroup.com/?l=vuln-dev&m=98039690620489&w=2


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »