PGPMail.pl (http://www.venturablvd.com/pgpmail/) is a modified version of Matt Wright's FormMail.pl meant to support PGP form mail. I was recently looking at the code and noticed 2 questionable open() calls that appear to be exploitable: open (MAIL, "|$mailprog $CONFIG{'recipient'}") || die "Can't open $mailprog!\n"; and... $ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0 \"$CONFIG{'pgpuserid'}\" > $pgptmp"); recipient and pgpuserid are both kept in hidden fields supplied by the client wouldn't it be possible to just throw in a ; /bin/whatever to execute commands with the priveledges of the webserver? the only parsing done on the input is in these lines: $value =~ tr/+/ /; $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; # If they try to include server side includes, erase them, so they # arent a security risk if the html gets returned. Another # security hole plugged up. $value =~ s/<!--(.|\n)*-->//g; $value =~ s/~!/ ~!/g; #maybe superfluos I don't understand perl that wellso i'll leave this up to the reader to decide whether this can be exploited successfully but your thoughts are appreciated. The last update to this script was done at the beginning of 2000 and it isn't too active on the web, however there are some sites running it and this should be looked at if it is exploitable. John Scimone CS Major @ Ga Tech
This archive was generated by hypermail 2b30 : Thu Nov 29 2001 - 18:15:42 PST