Vulnerabilities in PGPMail.pl

From: joetestaat_private
Date: Thu Nov 29 2001 - 19:45:38 PST

Next message: brettat_private: "Aspupload installs exploitable scripts"

Previous message: Linux Mandrake Security Team: "MDKSA-2001:089 - postfix update"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

Vulnerabilities in PGPMail.pl



    Overview

PGPMail.pl v1.31 is a PERL script that extends Matt Wright's FormMail
v1.5 to encrypt HTML form data using PGP.  It is available from
<ftp://ftp.venturablvd.com/pub/pgpmail/>.  Two vulnerabilities exist
which allow a remote attacker to execute arbitrary commands on the web
server it is installed on.

Note: these vulnerabilities were also independently discovered by John
Scimone <jscimoneat_private>.  Reference:
<http://www.securityfocus.com/archive/82/243262>


    Details

The script passes user-supplied data directly to a shell:


line 373:
    open (MAIL, "|$mailprog $CONFIG{'recipient'}") ||
        die "Can't open $mailprog!\n";

line 383:
    $ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0
        \"$CONFIG{'pgpuserid'}\" > $pgptmp");


The hash table, 'CONFIG', is built from either the QUERY_STRING or
standard input, depending on the method the input data was submitted
to the script.  None of the input is filtered.
    It should be noted that although the script checks the HTTP_REFERER
field against a list of acceptable sources, these vulnerabilities are
still exploitable by trivially forging a valid referer.



    Solution

Apply the following patch:


< open (MAIL, "|$mailprog $CONFIG{'recipient'}") || die "Can't open $mailprog!\n";
< print MAIL "From: $CONFIG{'your name'} \<$CONFIG{'your email'}\>\n";
- ---
> # Don't pass the recipient to the $mailprog on the command line.
> #     Instead, use the '-t' feature.  Fixed by Joe Testa
> #     (joetestaat_private).
> open (MAIL, "|$mailprog -t") || die "Can't open $mailprog!\n";
375a378
> print MAIL "From: $CONFIG{'your name'} \<$CONFIG{'your email'}\>\n";
383c386,392
<       $ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0 \"$CONFIG{'pgpuserid'}\" > $pgptmp");
- ---
>       # The PGP user id must be passed via command line, so make sure
>       #     that only legal characters are present.  Fixed by Joe Testa
>       #     (joetestaat_private).
>       $theUserID = $CONFIG{'pgpuserid'};
>       $theUserID =~ /([a-zA-Z0-9]+)/;
>       $theUserID = $1;
>       $ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0 \"$CONFIG{$theUserID}\" > $pgptmp");



    Vendor Status

The script's author, William Malin, was contacted via
<pgpmailat_private> on Friday, November 9th, 2001.  No reply was
received.



    - Joe Testa

e-mail:   joetestaat_private
web page: http://hogs.rit.edu/~joet/
AIM:      LordSpankatron



-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wl0EARECAB0FAjwHALIWHGpvZXRlc3RhQGh1c2htYWlsLmNvbQAKCRA/wHT6vruBNNjw
AJ9r0Son9N8YXLReXr0PR3ED7VFRRACgjyk4vsvkcV/xlioSX9Uud522ApA=
=8K3/
-----END PGP SIGNATURE-----

Next message: brettat_private: "Aspupload installs exploitable scripts"
Previous message: Linux Mandrake Security Team: "MDKSA-2001:089 - postfix update"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 30 2001 - 12:20:47 PST