Stalker's CGImail Gives Read Access to All Server Files ------------------------------------------------------- Sverre H. Huseby security advisory #1, 2000-08-29 Systems affected ---------------- All versions of cgimail.exe to this date. Description ----------- Stalker Lab's cgimail.exe accepts configuration parameters from the client side, and may give anyone read access to any file on the web server. Details ------- Stalker Lab's Mailers package for Windows NT contains the CGImail.exe program, which is used to convert the contents of an HTML form to an email. The program takes a template file on the web server disk, and substitutes special markup ("variables") with values from the form before sending the mail. Attachments are also supported. Unfortunately, every part of the mail sending process is controlled by (possibly hidden) values in the form. A malicious user may thus save the web page to disk, modify the recipient $To$ -variable, and the template $File$ or $Attach$ -variable, and trick the program into sending any file from the web server disk to himself. I have tested this positively on an unknown version of CGImail.exe (web server outside of my control, problem since fixed by removing CGImail.exe). The docs (cgimail.txt) for version 1.12 (1996-12-17) available from http://www.winsite.com/info/pc/winnt/netutil/sm112.zip/ indicate that the same problem exists with that version. The Stalker Lab web page at http://www.stalkerlab.ch/SMailers/index.html is unreachable (No route to host), but a cached version at Google shows that a version of at least 1.20 is now available. I have not been able to find that version anywhere on the net. The 1.12 docs has a section about "security": CGImail.exe may use the CGI HTTP_REFERER environment variable to make sure the page containing the form comes from the correct web server. I'm sure we all know how to fake a HTTP Referer header, so this sure is a false sense of security. No solution to the problem is known, except for disabling (and deleting!) the program entirely. Impact ------ This design error makes it possible for anyone to receive a mail containing any given file on the server running cgimail.exe. Files may containt information that may help an attacker further exploit the server. Reported by Sverre H. Huseby, shh@thathost.com