___ Summary __________________________________________________________ Title: Directory traversal vulnerability in sendform.cgi Date: July 30, 2002 Author: Steve Christey (coley@mitre.org) Credits: Brian Caswell (bmc@mitre.org) Erik Tayler (erik@DIGITALDEFENSE.NET) Vendor: Rod Clark Product: sendform.cgi Product URL: http://www.scn.org/~bb615/scripts/sendform.html OS/Platform: Unix Versions: All versions 1.4.4 and earlier, primarily before 1.4 Impact: Remote unauthenticated attackers can read arbitrary files with the privileges of the web server. Risk: High Solution: Upgrade to v1.45. A workaround is available, but it reduces functionality. Identifiers: CVE (CAN-2002-0710), Bugtraq ID (5286) ___ Introduction _____________________________________________________ Rod Clark's sendform.cgi is a CGI program that reads form data and sends it to a program-specified administrator. An optional capability can send additional "blurb files" to the e-mail address that is provided in the form. Unfortunately, any remote attacker can use sendform.cgi to read arbitrary files with the privileges of the web server by modifying the BlurbFilePath parameter to reference the desired files. ___ Details __________________________________________________________ When sendform.cgi is used to notify a user that their form has been submitted, it can read "blurb files" from the web server and send them in an email to the user. A remote attacker can manipulate the BlurbFilePath parameter to identify any target file (or set of files) on the web server, such as /etc/passwd. The "email" parameter can then be modified to point to the attacker's own email address, and the SendCopyToUser parameter set to "yes." When the attacker submits the full request to sendform.cgi, a copy of the target file will be sent to the attacker. There may be alternate attack vectors that do not require the SendCopyToUser parameter. If the attacker can write files to the web server running sendform.cgi, then the attacker can fully control the content of the e-mail message and send it to arbitrary e-mail addresses. Since other form fields such as the subject line are under attacker control, sendform.cgi could then be used as a "spam proxy," in a fashion similar to the well-known vulnerability in formmail.pl [1]. The filename that is provided to BlurbFilePath does not have to contain .. characters to escape the web root. An absolute pathname will also work. Since sendform.cgi only allows a small range of characters, plus the .. and /, the attacker can not execute commands via shell metacharacters, or redirect output to other files. It should be noted that there appear to be multiple programs named "sendform.cgi," including custom CGI scripts, which are unrelated to the product being discussed in this advisory. ___ Solution _________________________________________________________ Upgrade to the current version, found at: http://www.scn.org/~bb615/scripts/sendform.html The only feasible workaround is to disable the Blurb File feature by commenting out calls to the functions MailFirstBlurbFile() and MailOtherBlurbFiles(). Thanks to Rod Clark for diligently addressing this vulnerability. ___ Vulnerability Identifiers ________________________________________ The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2002-0710 [2] to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. The SecurityFocus VulnHelp team (vulnhelp@securityfocus.com) has assigned Bugtraq ID 5286 [3] to this issue. ___ Disclosure Policy ________________________________________________ Disclosure of this vulnerability has been conducted in accordance with the "Responsible Vulnerability Disclosure Process" draft, currently published at: http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-00.txt ___ Disclosure History _______________________________________________ 2002/05/10: initial discovery of suspicious code 2002/05/16: vulnerability verified 2002/05/16: initial notification to vendor 2002/05/16: vendor acknowledges receipt 2002/06/14: vendor updated web site with patched version for review 2002/06/17: tested patched version, made some recommendations 2002/06/24: beginning of vacation, sweet vacation 2002/07/15: vendor provides most recent version 2002/07/18: final suggestions to vendor (tiny hole still left) 2002/07/18: CVE candidate obtained 2002/07/20: vendor releases final version 2002/07/23: Bugtraq ID obtained 2002/07/23: final version verified 2002/07/30: advisory released This vulnerability was originally discovered while researching a Snort IDS signature with Brian Caswell (bmc@mitre.org). The signature apparently originated from a post to the Vuln-Dev mailing list on January 24, 2001, by Erik Tayler [4], who inquired about directory traversal attacks on sendform. Approximately 5 hours were spent researching the vulnerability. An additional 10-15 hours were spent consulting with the vendor and evaluating patches. ___ References _______________________________________________________ [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0357 [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0710 [3] http://www.securityfocus.com/bid/5286 [4] http://marc.theaimsgroup.com/?l=vuln-dev&m=98039690620489&w=2 ___ EOF ______________________________________________________________