exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

FormMail 1.92 XSS / HTTP Response Splitting

FormMail 1.92 XSS / HTTP Response Splitting
Posted May 13, 2009
Authored by Francesco Ongaro, Antonio Parata, Giovanni Pellerano | Site ush.it

FormMail version 1.92 suffers from cross site scripting, header injection, and HTTP response splitting vulnerabilities.

tags | exploit, web, vulnerability, xss
SHA-256 | dda541988029f268bc02136426254f2b6bbc63e0e3c487848827415005cc289e

FormMail 1.92 XSS / HTTP Response Splitting

Change Mirror Download
FormMail 1.92 Multiple Vulnerabilities

Name Multiple Vulnerabilities in FormMail
Systems Affected FormMail 1.92 and possibly earlier versions
Severity Medium
Impact (CVSSv2) Medium 4.3/10, vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Vendor http://www.scriptarchive.com/formmail.html
Advisory http://www.ush.it/team/ush/hack-formmail_192/adv.txt
Authors Francesco "ascii" Ongaro (ascii AT ush DOT it)
Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)
Antonio "s4tan" Parata (s4tan AT ush DOT it)
Date 20090511


FormMail is a generic HTML form to e-mail gateway that parses the
results of any form and sends them to the specified users. This script
has many formatting and operational options, most of which can be
specified within each form, meaning you don't need programming knowledge
or multiple scripts for multiple forms. This also makes FormMail the
perfect system-wide solution for allowing users form-based user feedback
capabilities without the risks of allowing freedom of CGI access. There
are several downloading options available below and more information on
this script can be found in the Readme file. FormMail is quite possibily
the most used CGI program on the internet, having been downloaded over
2,000,000 times since 1997.


Multiple Vulnerabilities exist in FormMail software.



A) Prelude to the vulnerabities
B) Cross Site Scripting
C) HTTP Response Header Injection
D) HTTP Response Splitting

A) Prelude to the vulnerabities

What follows is the code used to validate the user input:

Line 283: $safeConfig array definition.


foreach $field (keys %Config) {
$safeConfig{$field} = &clean_html($Config{$field});


Line 518: definition of clean_html function, used to generate the
"$safeConfig" array from "$Config".


# This function will convert <, >, & and " to their HTML equivalents.
sub clean_html {
local $value = $_[0];
$value =~ s/\&/\&/g;
$value =~ s/</\</g;
$value =~ s/>/\>/g;
$value =~ s/"/\"/g;
return $value;


These functions are not always applied to the user input and don't
protect against all the attack vectors (as URI or DOM XSS that can work
also if encoded), this is why various vulnerabilities exist.

B) Cross Site Scripting vulnerability

Line 293: the "redirect" variable is used to write the location header
value. Its value is not filtered so it's possible to perform both
HTTP Header Injection and an HTTP Response Splitting attacks.

Since Header Injection is one of the most versatile attack vectors we
could use it (like "downgrade it") to perform a Cross Site Scripting
attack but it would not represent a different vulnerability.

In this case we are already inside a "Location" response header and it's
possible to perform an XSS without splitting the response and using the
standard Apache page for the 302 Found HTTP status.


# If redirect option is used, print the redirectional location header.
if ($Config{'redirect'}) {
print "Location: $safeConfig{'redirect'}\n\n";


XSS vulnerability example:


$ curl -kis "


HTTP/1.1 302 Found
Date: Sat, 11 Apr 2009 14:12:11 GMT
Server: Apache
Location: javascript:alert('USH');
Content-Length: 267
Content-Type: text/html; charset=iso-8859-1
<title>302 Found</title>
<p>The document has moved <a href="javascript:alert('USH');">here</a>.</p>
<address>Apache Server at Port 80</address>


Obiously the XSS is not automatic since browsers don't follow the
"javascript:" URI handler in the "Location" header.

A second XSS vulnerability, not based on HTTP tricks, exists: in the
following code the the "$return_link" variable is reflected (printed) in
the page body without any validation:


Line 371: the "$return_link" variable is printed in the page body
without any validation.


# Check for a Return Link and print one if found. #
if ($Config{'return_link_url'} && $Config{'return_link_title'}) {
print "<ul>\n";
print "<li><a
print "</ul>\n";


The vulnerability can be triggered with the following request:

$ curl -kis "

This XSS is not automatic.

C) HTTP Response Header Injection

An HTTP Response Header Injection vulnerability exists, the following
request triggers the vulnerability:

$ curl -kis "

Can be verified with the obvious "javascript:alert(document.cookie)".

D) HTTP Response Splitting

Thanks to the full exploitability of the Header Injection vulnerability
an HTTP Response Splitting can be performed.

The following request is an example of the attack:


$ curl -kis "
HTTP/1.1 302 Found
Date: Sun, 12 Apr 2009 23:01:18 GMT
Server: Apache
Content-Length: 0
Transfer-Encoding: chunked
Content-Type: text/plain

HTTP/1.1 200 OK
Content-Type: text/plain


HTTP Response Splitting can be used to trigger a number of different
vectors, ranging from automatic Reflected XSS to Browser and Proxy
Cache Poisoning.


FormMail 1.92 and possibly earlier versions are vulnerable.




No CVE at this time.


20070501 Bug discovered
20070531 Initial vendor contact (Thu, 31 May 2007 22:21:39 +0200)
-- No response and the bug sleeped for some time in ascii's mind --
20090505 Second vendor contact
-- Giving up, will have better results with forced disclosure --
20090511 Advisory Release


Francesco "ascii" Ongaro, Giovanni "evilaliv3" Pellerano and Antonio
"s4tan" Parata are credited with the discovery of this vulnerability.

Francesco "ascii" Ongaro
web site: http://www.ush.it/
mail: ascii AT ush DOT it

Giovanni "evilaliv3" Pellerano
web site: http://www.evilaliv3.org
mail: giovanni.pellerano AT evilaliv3 DOT org

Antonio "s4tan" Parata
web site: http://www.ictsc.it/
mail: s4tan AT ictsc DOT it, s4tan AT ush DOT it


Copyright (c) 2009 Francesco "ascii" Ongaro

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    14 Files
  • 30
    Sep 30th
    19 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By