On Fri, 14 Jun 2002, sec wrote: > Example: > POST > > /cgi-bin/cgiemail?required-webmaster=xxxat_private&required-from=zzzat_private& > required-subject=spam%0aCC:address1at_private%20address2at_private%20address3at_private& > comments=spam%20message > > Simple, clear enough. Not really. Your example is going to do nothing but generate an error, at least under cgi-email 1.6 . First, cgiemail requires a textfile template on the server itself as part of the URL to run the script For example (from the cgiemail home page, cgiecho is the test program): <FORM METHOD="POST" ACTION="http://web.mit.edu/bin/cgiecho/wwwdev/cgiemail/questions3.txt"> In this case it's using a template file on the server in the directory wwwdev/cgiemail called questions3.txt Without such a file it generates an error. There is no template refereced in your example above, so the options are never even parsed (or possiby it attmpts to open it as a file on the local system, which still won't work). In the specific case where there is an e-mail template on the server that takes a field called required-subject and uses it in the Subject: line, then your exploit may work in theory, though you would have to know the location of this file and add it to your example. Yes, the location of the template will be in any forms that use it. However, the only way to determine if any fields are actually sent in the testing each form to see if the template is retriveable via the web, or what fields will be in the headers of a generated e-mail seems to me to be non-trival, though not to say it can't be done. While this should probably be fixed, this is not going to be immediately exploitable on every cgiemail binary. ========================================================== Chris Candreva -- chrisat_private -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
This archive was generated by hypermail 2b30 : Fri Jun 14 2002 - 09:18:13 PDT