|
Vulnerability mailform.pl Affected MailForm v2.0 Description Karl Hanmore found following. This script provides a way in which the user of the script can be provided with specific information. Files may also be attached. By making a copy of the form source and modifying the XX-attach_file variable, a user may mail himself a copy of any file readable by uid of the running cgi process. Abuse of this vunerability allows a would be attacker to gain copies of files on the system, possibly enabling leverage of such for further vunerabilities. The script will happily forward the file listed in the XX-attach_file variable as passed from the form. This file can be any file that can be read by the uid of the running cgi process. It should be noted that numerous other variables are passed as hidden fields, and it is most likely that some of these may be levered to cause problems. Solution Use of hidden fields should be avoided where ever possible. Vairables such as the system type, file to be sent etc should be configured within the cgi itself, not passed to the cgi as hidden fields. This script should be majorly re-written to avoid these issues, and a detailed fix is outside of the scope of this advisory. It is recomended that use of this script be avoided until the vendor has addressed these issues. The script author has addressed several issues promptly after being contacted regarding this problems, however, it is the belief of the author of this advisory that there may still be some outstanding issues relating to configuration information being passed via hidden form fields.