Yet another cgiemail and others bug. Not much to report, so we'll keep it concise. cgiemail: http://web.mit.edu/wwwdev/cgiemail/ Discussion: It's on open relaying bug. This vulnerability affects cgiemail and a lot of other web/mail applications, we are concentrating on cgiemail because it is considered safe. The same kind of exploit can be performed on many similar apps using the blessed "sendmail -t" to send the mail and avoid the bad attacker getting a shell. Details: The problem is very few developers filter the new line code "%0a". When posting data to the web/mail application, the remote user can take one of the predefined variables and add "%0a" followed by additional fields decoded by sendmail. For example CC: or Bcc: and so on. The result is that the mail is going to a lot of other addresses. Example: POST /cgi-bin/cgiemail?required-webmaster=xxxat_private&required-from=zzzat_private& required-subject=spam%0aCC:address1at_private%20address2at_private%20address3at_private& comments=spam%20message Simple, clear enough. ------------------ Vulnerability Reporting Detack GmbH IT Security Audits Alfred-Herrhausen-Str. 44 D - 58455 Witten Phone +49 (0) 2302 / 915 - 291 Fax +49 (0) 2302 / 915 - 295 Email: vulnsat_private WWW: www.detack.de
This archive was generated by hypermail 2b30 : Fri Jun 14 2002 - 07:42:04 PDT