SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Cgiemail Vendors:   MIT
Cgiemail Web Mail System May Let Remote Users Relay Mail Via the System
SecurityTracker Alert ID:  1004549
SecurityTracker URL:  http://securitytracker.com/id/1004549
CVE Reference:   CVE-2002-1575   (Links to External Site)
Updated:  Feb 11 2004
Original Entry Date:  Jun 17 2002
Impact:   Host/resource access via network
Exploit Included:  Yes  

Description:   An input validation vulnerability was reported in 'cgiemail'. A remote user may be able to create a specially crafted URL to cause the system to send unauthorized mail via the system.

It is reported that cgiemail contains an input validation flaw that lets remote users relay mail via the server.

According to the report, the software does not filter the new line code ('%0A') from user-supplied URLs. A remote user can reportedly use a predefined variable and add the '%0a' string and additional fields that will be interpreted by sendmail.

A demonstration exploit example is provided:

POST

/cgi-bin/cgiemail?required-webmaster=xxx@domain&required-from=address@domain&
required-subject=spam%0aCC:address1@domain%20address2@domain%20address3@domain&
comments=spam%20message

Impact:   A remote user can send arbitrary e-mail to user-specified addresses via cgiemail.
Solution:   No solution was available at the time of this entry.
Vendor URL:  web.mit.edu/wwwdev/cgiemail/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Oct 24 2003 (Unofficial Patch is Available) Re: Cgiemail Web Mail System May Let Remote Users Relay Mail Via the System
An unofficial patch is available.
Feb 12 2004 (Debian Issues Fix) Cgiemail Web Mail System May Let Remote Users Relay Mail Via the System
Debian has released a fix.



 Source Message Contents

Subject:  Another cgiemail bug



Yet another cgiemail and others bug.
Not much to report, so we'll keep it concise.
cgiemail: http://web.mit.edu/wwwdev/cgiemail/

Discussion:
It's on open relaying bug. This vulnerability affects cgiemail and a lot
of other web/mail applications, we are concentrating on cgiemail because
it is considered safe. The same kind of exploit can be performed on many
similar apps using the blessed "sendmail -t" to send the mail and avoid
the bad attacker getting a shell.

Details:
The problem is very few developers filter the new line code "%0a". When
posting data to the web/mail application, the remote user can take one of
the predefined variables and add "%0a" followed by additional fields
decoded by sendmail. For example CC: or Bcc: and so on. The result is that
the mail is going to a lot of other addresses.

Example:
POST

/cgi-bin/cgiemail?required-webmaster=xxx@xxx.com&required-from=zzz@zzz.com&
required-subject=spam%0aCC:address1@smap.com%20address2@smap.com%20address3@smap.com&
comments=spam%20message

Simple, clear enough.


------------------
Vulnerability Reporting
Detack GmbH
IT Security Audits
Alfred-Herrhausen-Str. 44 D - 58455 Witten
Phone +49 (0) 2302 / 915 - 291
Fax +49 (0) 2302 / 915 - 295
Email: vulns@detack.de
WWW: www.detack.de

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC