OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: issues with free Perl CGI's (Re: Black Watch Labs...)
From: Peter W (peterwUSA.NET)
Date: Wed May 10 2000 - 23:25:54 CDT

At 4:11pm May 10, 2000, Black Watch Labs wrote:

> "Environment and setup variables can be viewed through FormMail
> script"

> Products affected:
> Matt’s FormMail.cgi

Many form-mail scripts are designed to be as easy to use as possible,
relying heavily on hidden form values...

> Vendor Patch or workaround:
> None submitted at the time of this release.

...many of these scripts are also Perl-based, which means auditing and
correcting them are easy. Some of the approaches I've taken to clean up
scripts like this (including a derivative of formmail.cgi with similar
issues that a design firm wanted me to install)

 - hard-code/override some values in the CGI (also used to disable values)
 - use pattern matching in the CGI to validate values
 - have the script open the referring page, parse hidden values, and
   use them to override values that may have been altered by an attacker
 - add X-* headers to sent mail to facilitate tracking abuse

Anybody who's not auditing and tweaking freebie scripts like this one
needs to rethink their Web app procedures. See Aleph's recent
SecurityFocus piece on how having source does not ensure the code is safe.

BTW, did you even contact the script vendor?

> Summary:
> The script allows several environment variables to be viewed by the
> attacker, who can gain useful information on the site, making further
> attacks more feasible.

It also appears to be vulnerable to cross-site scripting problems
Hint: hack the 'required' config, e.g.
http://victim.example.com/formmail.cgi?required='javascript%3aalert("hello")%3b'>hello</a>&recipient=foo

> About Black Watch Labs ...
> Black Watch Labs is a research group operated by Perfecto Technologies
> Inc., leader in Web application security management.

Yeah, yeah, yeah. The discaimers and self promotion are almost as long as
the "advisory". I'm not impressed.

BTW, attached are some patches to start to plug the hole that you chose to
expose, and the cross-site scripting hole I mentioned in the required
fields (as well as another that jumped out at me). There may be more
holes, but what do you expect from a free, three-year-old script?

-Peter

http://www.bastille-linux.org/ : working towards more secure Linux systems