(Unofficial Patch is Available) Re: Cgiemail Web Mail System May Let Remote Users Relay Mail Via the System
|
|
SecurityTracker Alert ID: 1007997
|
|
CVE Reference: CAN-2002-1575
(Links to External Site)
|
Updated: Feb 11 2004
|
Original Entry Date: Oct 24 2003
|
Impact: Host/resource access via network
|
Fix Available: Yes
|
Description: An input validation vulnerability was reported in 'cgiemail'. A remote user may be able to create a specially crafted URL to cause the system to send unauthorized mail via the system.
It is reported that cgiemail contains an input validation flaw that lets remote users relay mail via the server.
According to
the report, the software does not filter the new line code ('%0A') from user-supplied URLs. A remote user can reportedly use a
predefined variable and add the '%0a' string and additional fields that will be interpreted by sendmail.
A demonstration exploit
example is provided:
POST
/cgi-bin/cgiemail?required-webmaster=xxx@domain&required-from=address@domain&
required-subject=spam%0aCC:address1@domain%20address2@domai
n%20address3@domain&
comments=spam%20message
|
Impact: A remote user can send arbitrary e-mail to user-specified addresses via cgiemail.
|
Solution: A user has provided an unofficial patch [available in the Source Message].
|
Vendor URL: web.mit.edu/wwwdev/cgiemail/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: Matt Riffle <matt@pair.com>
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Fri, 3 Oct 2003 13:58:20 -0400 (EDT)
From: Matt Riffle <matt@pair.com>
Subject: patch for vulnerability in cgiemail
|
Recently we've seen a marked rise in attempts to exploit the bug in MIT's
cgiemail that's documented here:
http://www.securitytracker.com/alerts/2002/Jun/1004549.html
Appended below is a quick patch to the cgilib.c file of the distribution,
designed to prevent abuse of the program.
Basically, it attempts to strip all non-printable characters (maybe a little
heavy-handed) from form input that's incorporated into the headers of the
resulting email. It doesn't strip them from the body (assuming there's a
blank line between the two for it to make the distinction).
Regards,
Matt Riffle
------------------------O----------------------
Senior Systems Programmer
pair Networks, Inc. http://www.pair.com/
------------------------O----------------------
--
31,40d30
< int noheader; // flag for when we exit template's header - MPR
< int flag; // flag used to find split to set above flag - MPR
<
< /* MPR - 9/30/03 */
< void strip_nonprint(char *s) {
< while (*s) {
< if (!isprint(*s)) *s = ' ';
< s++;
< }
< }
432,433d421
< char *myptr;
< int count;
439,442d426
< if (!noheader)
< {
< strip_nonprint(formp->fields[i].value);
< }
554,558d537
< /* when flag hits 2, we're out of headers -- MPR */
< if (flag >= 2)
< {
< noheader = 1;
< }
564d542
< flag++;
567,574d544
< if ((inchar != (int)' ') && (inchar != (int)'\n'))
< {
< flag = 0;
< }
< else
< {
< if (inchar == (int)'\n') flag++;
< }
1192d1161
<
|
|
