COMMAND

    mailto.cgi

SYSTEMS AFFECTED

    Mail - Credit Card Combo Mail-to and Credit Card program

PROBLEM

    Karl  Hanmore  found  following.   This  script  provides  for   a
    feedback /  credit card  order to  be emailed  to the  site admin.
    This script  also provides  a reply  to the  person submitting the
    form.   A  malicious  user  can  use  a misformed email address to
    execute arbitary commands on the web server.

    Abuse of  this vunerability  allows running  of arbitary  commands
    as the user id of the running cgi process.  This could potentially
    be used to delete or  modify files, or provide copies  of arbitary
    files via email to an attacker.

    The "emailadd" field from the form is used directly in conjunction
    with a piped  open.  This  allows an attacker  to execute arbitary
    commands by choosing the value of the email address carefully.

SOLUTION

    Input  checking  should   be  performed  to   ensure  only   valid
    characters are contained within the email address.  User  supplied
    variables should not  be passed to  system, piped open's  or other
    such  executable  operations.   Patch  provided  below  to perform
    redimentary  address  checking  and  avoid  passing  user input to
    piped  open.   It  is  believed  that  this  has  been   addressed
    immediately  by  the  script  author  upon  notification  of   the
    problem,  and  that  new   versions  should  already  be   updated
    accordingly.

    *** mailto.cgi.orig	Mon Sep  4 17:22:48 2000
    --- mailto.cgi	Mon Sep  4 17:24:26 2000
    ***************
    *** 134,143 ****
    
    
                     ############################################
    
      if ($mail eq '1') {
    !    open (MAIL, "|$mailprog $recipient") || die "Can't open $mailprog!\n";
    !
         print MAIL "Reply-to: $FORM{'emailadd'} ($FORM{'name'})\n";
         print MAIL "From: $FORM{'emailadd'} ($FORM{'name'})\n";
      if ($FORM{'card_no'}){
    --- 134,145 ----
    
    
                     ############################################
    + # Check for valid email address
    + $FORM{'emailadd'} =~ s/[^A-Zaa-z0-9@\.,]//g;
    
      if ($mail eq '1') {
    !    open (MAIL, "|$mailprog -t") || die "Can't open $mailprog!\n";
    !    print MAIL "To: $recipient\n";
         print MAIL "Reply-to: $FORM{'emailadd'} ($FORM{'name'})\n";
         print MAIL "From: $FORM{'emailadd'} ($FORM{'name'})\n";
      if ($FORM{'card_no'}){
    ***************
    *** 163,169 ****
       }
    
      if ($remote_mail eq '1' && $FORM{'emailadd'}) {
    !    open (MAIL, "|$mailprog $FORM{'emailadd'}") || die "Can't open $mailprog!\n";
         print MAIL "From: $return_add\n";
      if ($FORM{'card_no'}){
         print MAIL "Subject: $cc_order_subject\n";
    --- 165,172 ----
       }
    
      if ($remote_mail eq '1' && $FORM{'emailadd'}) {
    !    open (MAIL, "|$mailprog -t") || die "Can't open $mailprog!\n";
    !    print MAIL "To: $FORM{'emailadd'}\n";
         print MAIL "From: $return_add\n";
      if ($FORM{'card_no'}){
         print MAIL "Subject: $cc_order_subject\n";