[ SOURCE: http://www.secureroot.com/security/advisories/9688266992.html ] Title: Poor variable checking in mailto.cgi (Mail - Credit Card Combo Mail-to and Credit Card program) Advisory Author: Karl Hanmore Script URL: http://rlaj.com/scripts/mailto/ Script Author: Ranson Johnson Advisory Released: 11 September 2000 Vendor notified: support@rlaj.com 05 Sept. 2000 Disclaimer: This information is provided AS IS. Neither myself, my employer or any other organisation or person warrant the information supplied herein. In no instance will myself or any other organisation I am involved accept responsibility for any damage or injury caused as a result of the use of any information provided herein. This information is provided for education use only, and to allow potentially effected persons to more adequatly secure their systems. Vunerable: Tested version, current version as distributed on website on 05 September 2000. Overview: This script provides for a feedback / credit card order to be emailed to the site admin. This script also provides a reply to the person submitting the form. A malicious user can use a misformed email address to execute arbitary commands on the web server. Impact: Abuse of this vunerability allows running of arbitary commands as the user id of the running cgi process. This could potentially be used to delete or modify files, or provide copies of arbitary files via email to an attacker. Detail: The "emailadd" field from the form is used directly in conjunction with a piped open. This allows an attacker to execute arbitary commands by choosing the value of the email address carefully. Fix: Input checking should be performed to ensure only valid characters are contained within the email address. User supplied variables should not be passed to system, piped open's or other such executable operations. Patch provided below to perform redimentary address checking and avoid passing user input to piped open. It is believed that this has been addressed immediately by the script author upon notification of the problem, and that new versions should already be updated accordingly. Patch: See above disclaimer. This patch is provided AS IS, however, the advisory author believes this should remedy the problem as detailed. ================================== Karl Hanmore Email: karl@system-administrator.net