SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (E-mail Server)  >  Cgiemail Vendors:  MIT
Cgiemail Web Mail System May Let Remote Users Relay Mail Via the System
SecurityTracker Alert ID:  1004549
CVE Reference:  CAN-2002-1575   (Links to External Site)
Updated:  Feb 11 2004
Original Entry Date:  Jun 17 2002
Impact:  Host/resource access via network
Exploit Included:  Yes  
Description:  An input validation vulnerability was reported in 'cgiemail'. A remote user may be able to create a specially crafted URL to cause the system to send unauthorized mail via the system.

It is reported that cgiemail contains an input validation flaw that lets remote users relay mail via the server.

According to the report, the software does not filter the new line code ('%0A') from user-supplied URLs. A remote user can reportedly use a predefined variable and add the '%0a' string and additional fields that will be interpreted by sendmail.

A demonstration exploit example is provided:

POST

/cgi-bin/cgiemail?required-webmaster=xxx@domain&required-from=address@domain&
required-subject=spam%0aCC:address1@domain%20address2@domai n%20address3@domain&
comments=spam%20message
Impact:  A remote user can send arbitrary e-mail to user-specified addresses via cgiemail.
Solution:  No solution was available at the time of this entry.
Vendor URL:  web.mit.edu/wwwdev/cgiemail/ (Links to External Site)
Cause:  Input validation error
Underlying OS:  Linux (Any), UNIX (Any)
Reported By:  sec <vulns@sm.detack.de>
Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 24 2003 (Unofficial Patch is Available) Re: Cgiemail Web Mail System May Let Remote Users Relay Mail Via the System   (Matt Riffle <matt@pair.com>)
An unofficial patch is available.


 Source Message Contents
Date:  Fri, 14 Jun 2002 17:20:55 +0300 (EEST)
From:  sec <vulns@sm.detack.de>
Subject:  Another cgiemail bug

 


Yet another cgiemail and others bug.
Not much to report, so we'll keep it concise.
cgiemail: http://web.mit.edu/wwwdev/cgiemail/

Discussion:
It's on open relaying bug. This vulnerability affects cgiemail and a lot
of other web/mail applications, we are concentrating on cgiemail because
it is considered safe. The same kind of exploit can be performed on many
similar apps using the blessed "sendmail -t" to send the mail and avoid
the bad attacker getting a shell.

Details:
The problem is very few developers filter the new line code "%0a". When
posting data to the web/mail application, the remote user can take one of
the predefined variables and add "%0a" followed by additional fields
decoded by sendmail. For example CC: or Bcc: and so on. The result is that
the mail is going to a lot of other addresses.

Example:
POST

/cgi-bin/cgiemail?required-webmaster=xxx@xxx.com&required-from=zzz@zzz.com&
required-subject=spam%0aCC:address1@smap.com%20address2@smap.com%20address3@smap.com&
comments=spam%20message

Simple, clear enough.


------------------
Vulnerability Reporting
Detack GmbH
IT Security Audits
Alfred-Herrhausen-Str. 44 D - 58455 Witten
Phone +49 (0) 2302 / 915 - 291
Fax +49 (0) 2302 / 915 - 295
Email: vulns@detack.de
WWW: www.detack.de


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC