Another cgiemail bug

From: sec (vulnsat_private)
Date: Fri Jun 14 2002 - 07:20:55 PDT

  • Next message: Seunghyun Seo: "Re: +ALERT+ BACKDOOR IN MSN666 SNIFFER FOR SNIFFING MSN +ALERT+"

    Yet another cgiemail and others bug.
    Not much to report, so we'll keep it concise.
    cgiemail: http://web.mit.edu/wwwdev/cgiemail/
    
    Discussion:
    It's on open relaying bug. This vulnerability affects cgiemail and a lot
    of other web/mail applications, we are concentrating on cgiemail because
    it is considered safe. The same kind of exploit can be performed on many
    similar apps using the blessed "sendmail -t" to send the mail and avoid
    the bad attacker getting a shell.
    
    Details:
    The problem is very few developers filter the new line code "%0a". When
    posting data to the web/mail application, the remote user can take one of
    the predefined variables and add "%0a" followed by additional fields
    decoded by sendmail. For example CC: or Bcc: and so on. The result is that
    the mail is going to a lot of other addresses.
    
    Example:
    POST
    
    /cgi-bin/cgiemail?required-webmaster=xxxat_private&required-from=zzzat_private&
    required-subject=spam%0aCC:address1at_private%20address2at_private%20address3at_private&
    comments=spam%20message
    
    Simple, clear enough.
    
    
    ------------------
    Vulnerability Reporting
    Detack GmbH
    IT Security Audits
    Alfred-Herrhausen-Str. 44 D - 58455 Witten
    Phone +49 (0) 2302 / 915 - 291
    Fax +49 (0) 2302 / 915 - 295
    Email: vulnsat_private
    WWW: www.detack.de
    



    This archive was generated by hypermail 2b30 : Fri Jun 14 2002 - 07:42:04 PDT