Re: SECURITY HOLE: FormMail

cweCsli.Stanford.EDU

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Pat The Friendly RedNeck: "Re: SECURITY HOLE: "Guestbook""
• Previous message: Darren Reed: "bug in /sbin/ps on sunos5.4 ?"
• In reply to: Paul Phillips: "SECURITY HOLE: FormMail"
• Next in thread: Andrew Macpherson: "Re: SECURITY HOLE: FormMail"

| It does have a security hole, it has the *exact* same hole that
| AnyForm did, except that it is exploited via open instead of system.
| But a shell by any other name...
|
| Here's the offending line:
|
| open (MAIL, "|$mailprog $FORM{'recipient'}") || die "Can't open $mailprog!\n";
|
| Maybe I should use all caps this time: DON'T PASS UNCHECKED USER
| DATA TO SHELLS.  I just obtained /etc/motd from a site running
| FormMail, and it was sent to me courtesy of root... my oh my.

Also, remember to filter the data correctly. When we are talking about
mail, you should filter for the following stuff at least:

If handled by /usr/ucb/mail:

  * Tildes at the beginning of a line, since you can do
    ~!/bin/sh and ~|/bin/sh etc
  * Include attacks from sendmail as well.

If handled by /bin/mail
  * Watch out for lines starting with !, since you can do
    !/bin/sh on some /bin/mail's.

If handled by a sendmail:
  * email addresses starting with ! or / since you can do
    <!/bin/sh> or </.rhosts>
  * Filter out strange headers, like
    Errors-to:  Return-receipt-to:
    since your problem (the same as above) might come back further
    down, if done by a clever attacker.

Anyone care to join more mail horrors? :-)

/Christian Wettergren
 cweit.kth.se

• Next message: Pat The Friendly RedNeck: "Re: SECURITY HOLE: "Guestbook""
• Previous message: Darren Reed: "bug in /sbin/ps on sunos5.4 ?"
• In reply to: Paul Phillips: "SECURITY HOLE: FormMail"
• Next in thread: Andrew Macpherson: "Re: SECURITY HOLE: FormMail"