• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

PGPMail Remote Command Execution Vulnerability

PGPMail is a modified version of Matt Wright's FormMail 1.5, allowing mail to be encrypted using PGP.

PGPMail is prone to a vulnerability which may allow arbitrary commands to be executed on the shell of a host running it. Commands will be executed with the privileges of the webserver. There are at least two instances in the PGPMail.pl script where shell metacharacters are not adequately filtered from hidden form fields(recipient and pgpuserid).

Although PGPMail does include the security feature of checking the HTTP Referrer against a list of hosts, this vulnerability could be trivially exploited if the HTTP Referrer field of a web request is forged by the attacker.