John Scimone wrote: >PGPMail.pl (http://www.venturablvd.com/pgpmail/) is a modified version of >Matt Wright's FormMail.pl meant to support PGP form mail. >I was recently looking at the code and noticed 2 questionable open() calls >that appear to be exploitable: > >open (MAIL, "|$mailprog $CONFIG{'recipient'}") || die "Can't open >$mailprog!\n"; > >and... > >$ret_val = open (PGP, "|$pgpprog -fea +VERBOSE=0 \"$CONFIG{'pgpuserid'}\" > >$pgptmp"); > >recipient and pgpuserid are both kept in hidden fields supplied by the client >wouldn't it be possible to just throw in a ; /bin/whatever to execute >commands with the priveledges of the webserver? > >the only parsing done on the input is in these lines: > > $value =~ tr/+/ /; > $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; > > # If they try to include server side includes, erase them, so they > # arent a security risk if the html gets returned. Another > # security hole plugged up. > > $value =~ s/<!--(.|\n)*-->//g; > $value =~ s/~!/ ~!/g; #maybe superfluos > >I don't understand perl that wellso i'll leave this up to the reader to >decide whether this can be exploited successfully but your thoughts are >appreciated. > >The last update to this script was done at the beginning of 2000 and it isn't >too active on the web, however there are some sites running it and this >should be looked at if it is exploitable. > >John Scimone >CS Major @ Ga Tech > Hi John -- Yes, it is exploitable. I wrote an advisory for this already, but I didn't release it yet because I'm on vacation. =] I informed the author three weeks ago, but I still didn't get a reply. - Joe Testa
This archive was generated by hypermail 2b30 : Fri Nov 30 2001 - 14:42:40 PST