Stalkerlab's Mailers 1.1.2 CGI Mail Spoofing Vulnerability

SStalkerlab's Mailers 1.1.2 and possibly more recent versions are subject to a design error which could potentially enable a user to access the local files of the web server.

Mailers 1.1.2 contains the program CGImail.exe which uses a template file located on the web server disk to convert the HTML form to email. Due to specific values in the file it is possible for a user to save the web page to disk and modify different variables such as the $To$, $Attach$ and the $File$ variables. This could potentially cause the program to send any file saved on the web server to the user.


 

Privacy Statement
Copyright 2010, SecurityFocus