OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Fwd: Poor variable checking in mailto.cgi
From: Karl Hanmore (karlSYSTEM-ADMINISTRATOR.NET)
Date: Mon Sep 11 2000 - 17:55:41 CDT


Title: Poor variable checking in mailto.cgi (Mail - Credit Card Combo
Mail-to and Credit Card program)

Advisory Author: Karl Hanmore <karlsystem-administrator.net>

Script URL: http://rlaj.com/scripts/mailto/

Script Author: Ranson Johnson

Advisory Released: 11 September 2000

Vendor notified: supportrlaj.com 05 Sept. 2000

Disclaimer: This information is provided AS IS. Neither myself, my
employer or any other organisation or person warrant the information
supplied herein. In no instance will myself or any other organisation
I am involved accept responsibility for any damage or injury caused as
a result of the use of any information provided herein. This
information is provided for education use only, and to allow
potentially effected persons to more adequatly secure their systems.

Vunerable: Tested version, current version as distributed on website
on 05 September 2000.

Overview: This script provides for a feedback / credit card order to
be emailed to the site admin. This script also provides a reply to
the person submitting the form. A malicious user can use a misformed
email address to execute arbitary commands on the web server.

Impact: Abuse of this vunerability allows running of arbitary commands
as the user id of the running cgi process. This could potentially be
used to delete or modify files, or provide copies of arbitary files
via email to an attacker.

Detail: The "emailadd" field from the form is used directly in
conjunction with a piped open. This allows an attacker to execute
arbitary commands by choosing the value of the email address
carefully.

Fix: Input checking should be performed to ensure only valid
characters are contained within the email address. User supplied
variables should not be passed to system, piped open's or other such
executable operations. Patch provided below to perform redimentary
address checking and avoid passing user input to piped open. It is
believed that this has been addressed immediately by the script author
upon notification of the problem, and that new versions should already
be updated accordingly.

Patch: See above disclaimer. This patch is provided AS IS, however,
the advisory author believes this should remedy the problem as
detailed.

==================================
Karl Hanmore
Email: karlsystem-administrator.net