Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Subject: Mail File POST Vulnerability
From: Dirk Brockhausen (broBROCON.COM)
Date: Wed Oct 11 2000 - 12:42:33 CDT
- Next message: bugzillaREDHAT.COM: "[RHSA-2000:072-05] Updated gnorpm packages are available for Red Hat Linux 6.1, 6.2, and 7.0"
- Previous message: Jeff Harlan: "Shred v1.0 Fix"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
MailFile v 1.10 by Oatmeal-Studios
< http://www.oatmeal-studios.com >
This Perl script enables a site's visitor to have a
given file dispatched to a specified email address.
The visitor is required to select the file from a
given list and to enter his or her email address.
The data will then be dispatched by a POST command to
the target server.
In contrast to a GET command, a POST command will not
display the data in the referenced URL.
For example, if you search in AltaVista for the
phrase "ip blocker", the URL generated will look like
The query script is called with GET, which is why the
phrase is displayed in the URL and can even be
As the MailFile script uses a POST command, the file
name is not open to manipulation on the URL level. But
this is a false security! Indeed, this script is quite
vulnerable to a fairly simple attack.
E.g. an attacker could install the entry form on his
or her own web site and modify the file name
To rule this out, the script will check the "Referer"
variable. For security and bandwidth economy reasons
it will only permit calls from the domain it actually
resides on. Or so it seems.
Indeed, an attacker can manipulate not only the
UserAgent data but the "Referer" variable as well.
It takes only a few lines of Perl to send the required
data (variables) to the MailFile script.
$ua = LWP::UserAgent->new;
$res = $ua->request(POST 'http://domain/mailfile.cgi',
[real_name => 'value1',
email => 'value2',
filename => 'value3',
This code can actually be used against all cgi scripts
based on the POST method.
In the case of the MailFile script discussed here, we
could even skip sending a Referer because the
implemented check routine will simply regard the
Referrer as valid if the referer variable has not been
Again, this method allows for systemwide opening of
all files holding read permissions for "others" - a
major security hazard!
Conclusion: For security reasons, this script should
not be implemented.
The examples and techniques presented and discussed
here are solely intended to help you improve your web
In no way should this information be abused to attack
other web sites or hosts!
Source: fantomNews < http://www.fantomaster.com >