Vulnerability

    mailform.pl

Affected

    MailForm v2.0

Description

    Karl  Hanmore  found  following.   This  script  provides a way in
    which  the  user  of  the  script  can  be  provided with specific
    information.  Files  may also be  attached.  By  making a copy  of
    the form source and modifying the XX-attach_file variable, a  user
    may  mail  himself  a  copy  of  any  file  readable by uid of the
    running cgi process.

    Abuse of  this vunerability  allows a  would be  attacker to  gain
    copies of files on the system, possibly enabling leverage of  such
    for further vunerabilities.

    The  script  will   happily  forward  the   file  listed  in   the
    XX-attach_file variable as  passed from the  form.  This  file can
    be  any  file  that  can  be  read  by  the uid of the running cgi
    process.   It should  be noted  that numerous  other variables are
    passed as hidden fields, and it is most likely that some of  these
    may be levered to cause problems.

Solution

    Use  of  hidden  fields  should  be  avoided  where ever possible.
    Vairables such as the system type,  file to be sent etc should  be
    configured within the cgi itself, not passed to the cgi as  hidden
    fields.  This script should  be majorly re-written to avoid  these
    issues,  and  a  detailed  fix  is  outside  of  the scope of this
    advisory.   It is  recomended that  use of  this script be avoided
    until the vendor  has addressed these  issues.  The  script author
    has  addressed  several  issues  promptly  after  being  contacted
    regarding this problems, however, it  is the belief of the  author
    of this advisory that there  may still be some outstanding  issues
    relating  to  configuration  information  being  passed via hidden
    form fields.