Vulnerability

    CGImail

Affected

    Stalker's CGImail

Description

    Sverre H. Huseby found  following.  Stalker Lab's  Mailers package
    for Windows NT contains the CGImail.exe program, which is used  to
    convert the contents  of an HTML  form to an  email.  The  program
    takes a  template file  on the  web server  disk, and  substitutes
    special  markup  ("variables")  with  values  from the form before
    sending the mail.  Attachments are also supported.

    Unfortunately,  every  part  of   the  mail  sending  process   is
    controlled by (possibly hidden) values  in the form.  A  malicious
    user may  thus save  the web  page to  disk, modify  the recipient
    $To$ -variable,  and the  template $File$  or $Attach$  -variable,
    and trick the  program into sending  any file from  the web server
    disk to himself.

Solution

    Sverre  has  tested  this  positively  on  an  unknown  version of
    CGImail.exe  (web  server  outside  of  his control, problem since
    fixed  by  removing  CGImail.exe).   The  docs  (cgimail.txt)  for
    version 1.12 (1996-12-17) available from

        http://www.winsite.com/info/pc/winnt/netutil/sm112.zip/

    indicate that  the same  problem exists  with that  version.   The
    Stalker Lab web page at

        http://www.stalkerlab.ch/SMailers/index.html

    is unreachable (No route to host), but a cached version at  Google
    shows that a version of at least 1.20 is now available.

    The 1.12 docs has a section about "security": CGImail.exe may  use
    the CGI HTTP_REFERER  environment variable to  make sure the  page
    containing  the  form  comes  from  the  correct  web  server.  No
    solution  to  the  problem  is  known,  except  for disabling (and
    deleting!) the program entirely.